diff options
author | Cy Schubert <cy@FreeBSD.org> | 2024-02-15 15:41:07 +0000 |
---|---|---|
committer | Cy Schubert <cy@FreeBSD.org> | 2024-02-21 14:01:48 +0000 |
commit | 88bdc4bb60df6aab4457d244c5fbf4b56b22ff6d (patch) | |
tree | 4fe362760ba0ebddd569d24f6cd9c5002c896adc | |
parent | 9f2e70a87d6ed48df418e1f7a3ccc09b469c2dad (diff) | |
download | src-88bdc4bb60df6aab4457d244c5fbf4b56b22ff6d.tar.gz src-88bdc4bb60df6aab4457d244c5fbf4b56b22ff6d.zip |
heimdal: Fix NULL deref
A flawed logical condition allows a malicious actor to remotely
trigger a NULL pointer dereference using a crafted negTokenInit
token.
Upstream notes:
Reported to Heimdal by Michał Kępień <michal@isc.org>.
From the report:
Acknowledgement
---------------
This flaw was found while working on addressing ZDI-CAN-12302: ISC BIND
TKEY Query Heap-based Buffer Overflow Remote Code Execution
Vulnerability, which was reported to ISC by Trend Micro's Zero Day
Security: CVE-2022-3116
Obtained from: upstream 7a19658c1
MFS requested by: re (cperciva)
Approved by: re (cperciva)
(cherry picked from commit fc773115fa2dbb6c01377f2ed47dabf79a4e361a)
(cherry picked from commit 6b421e431a2de6eb9e8bd670efffe76e6617d520)
-rw-r--r-- | crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c b/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c index b60dc19ad8e3..48542f06fcbe 100644 --- a/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c +++ b/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c @@ -605,7 +605,7 @@ acceptor_start * If opportunistic token failed, lets try the other mechs. */ - if (!first_ok && ni->mechToken != NULL) { + if (!first_ok) { size_t j; preferred_mech_type = GSS_C_NO_OID; |