The Samba-Bugzilla – Attachment 17504 Details for
Bug 15155
CVE-2022-3116 [NOT SECURITY] heimdal NULL deref in lib/gssapi/spnego/accept_sec_context.c
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
a patch being handed round the internet
0001-gssapi-spnego-send_accept-initial_response-handle-no.patch (text/plain), 2.05 KB, created by
Douglas Bagnall
on 2022-09-01 00:10:18 UTC
(
hide
)
Description:
a patch being handed round the internet
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2022-09-01 00:10:18 UTC
Size:
2.05 KB
patch
obsolete
>From 42e30da621287ba7d9c11a329463632efaf895c0 Mon Sep 17 00:00:00 2001 >From: Jeffrey Altman <jaltman@secure-endpoints.com> >Date: Tue, 1 Mar 2022 15:10:36 -0500 >Subject: [PATCH] gssapi/spnego: send_accept initial_response handle no > preferred mech > >send_accept() when called with a non-zero 'initial_response' did >not handle the case of gssspnego_ctx.preferred_mech_type equal >to GSS_C_NO_OID. > >The failure to handle GSS_C_NO_OID has been present since the >initial revision of gssapi/spnego, >2baa7e7d613c26b2b037b368931519a84baec53d but might not have >been exercised until later revisions. > >The introduction of opportunistic token handling in >gss_accept_sec_context(), 3c9d3266f47f594a29068c9d629908e7000ac663, >introduced two bugs: > > 1. The optional mechToken field is used unconditionally > possibly resulting in a segmentation fault. > > 2. If use of the opportunistic token is unsuccessful and the > mech type list length is one, send_accept() can be called > with 'initial_response' true and preferred mech set to > GSS_C_NO_OID. > >b53c90da0890a9cce6f95c552f094ff6d69027bf ("Make error reporting >somewhat more correct for SPNEGO") attempted to fix the first >issue and increased the likelihood of the second. > >This change alters the behavior of send_accept() so it constructs >a response without a supportedMech. > >Change-Id: If7c7931b1310e5893f1e3adf1ae9dc3258350828 >Reported-by: michal@isc.org >--- > lib/gssapi/spnego/accept_sec_context.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > >diff --git a/lib/gssapi/spnego/accept_sec_context.c b/lib/gssapi/spnego/accept_sec_context.c >index 48b786c29..1ddd814c3 100644 >--- a/lib/gssapi/spnego/accept_sec_context.c >+++ b/lib/gssapi/spnego/accept_sec_context.c >@@ -186,7 +186,8 @@ send_accept (OM_uint32 *minor_status, > *(nt.u.negTokenResp.negResult) = accept_incomplete; > } > >- if (initial_response) { >+ if (initial_response >+ && context_handle->preferred_mech_type != GSS_C_NO_OID) { > ALLOC(nt.u.negTokenResp.supportedMech, 1); > if (nt.u.negTokenResp.supportedMech == NULL) { > free_NegotiationToken(&nt); >-- >2.35.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 15155
: 17504