git: bec5e729ceef - stable/12 - heimdal: Fix NULL deref
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 21 Feb 2024 20:26:02 UTC
The branch stable/12 has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=bec5e729ceef12259609dbd8f5191e19464be95d
commit bec5e729ceef12259609dbd8f5191e19464be95d
Author: Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2024-02-15 15:41:07 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-02-21 20:24:16 +0000
heimdal: Fix NULL deref
A flawed logical condition allows a malicious actor to remotely
trigger a NULL pointer dereference using a crafted negTokenInit
token.
Upstream notes:
Reported to Heimdal by Michał Kępień <michal@isc.org>.
From the report:
Acknowledgement
---------------
This flaw was found while working on addressing ZDI-CAN-12302: ISC BIND
TKEY Query Heap-based Buffer Overflow Remote Code Execution
Vulnerability, which was reported to ISC by Trend Micro's Zero Day
Security: CVE-2022-3116
Obtained from: upstream 7a19658c1
(cherry picked from commit fc773115fa2dbb6c01377f2ed47dabf79a4e361a)
(cherry picked from commit 6b421e431a2de6eb9e8bd670efffe76e6617d520)
---
crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c b/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c
index b60dc19ad8e3..48542f06fcbe 100644
--- a/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c
+++ b/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c
@@ -605,7 +605,7 @@ acceptor_start
* If opportunistic token failed, lets try the other mechs.
*/
- if (!first_ok && ni->mechToken != NULL) {
+ if (!first_ok) {
size_t j;
preferred_mech_type = GSS_C_NO_OID;