prevent against out-of-order IAKERB tokens

git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/iakerb-refonly@23275 dc483132-0cff-0310-8789-dd5450dbe970

2 files changed, 8 insertions, 1 deletions

diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index 551c757..de83a73 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -253,7 +253,8 @@ extern k5_mutex_t gssint_krb5_keytab_lock;
 
 #define kg_validate_name(name)          g_validate_name(&kg_vdb,name)
 #define kg_validate_cred_id(cred)       g_validate_cred_id(&kg_vdb,cred)
-#define kg_validate_ctx_id(ctx)         g_validate_ctx_id(&kg_vdb,ctx)
+#define kg_validate_ctx_id(ctx)         (g_validate_ctx_id(&kg_vdb,ctx) && \
+                                         ((krb5_gss_ctx_id_t)ctx)->magic == KG_CONTEXT)
 #define kg_validate_lucidctx_id(lctx)   g_validate_lucidctx_id(&kg_vdb,lctx)
 
 #define kg_delete_name(name)            g_delete_name(&kg_vdb,name)
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index 9c5c83e..410b5f7 100644
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -818,6 +818,12 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
         ctx = (iakerb_ctx_id_t)*context_handle;
 
     if (iakerb_is_iakerb_token(input_token)) {
+        if (ctx->u.gssc != GSS_C_NO_CONTEXT) {
+            /* We shouldn't get an IAKERB token now. */
+            code = G_WRONG_TOKID;
+            major_status = GSS_S_DEFECTIVE_TOKEN;
+            goto cleanup;
+        }
         code = iakerb_acceptor_step(ctx, initialContextToken,
                                     input_token, output_token);
         if (code == (OM_uint32)KRB5_BAD_MSIZE)