Found by Codenomicon testing at the SNIA plugfest. All fields within NegTokenInit and NegTokenTarg are optional. We incorrectly assume we'll always get a data blob and indirect within it. Fix for 3.6.x, 3.5.x and 4.0.0rc to follow. Big thanks to the Codenomicon guys ! Jeremy.
Created attachment 7904 [details] git-am fix for 3.6.next I've checked every code path within 3.6.x, this is the only vulnerable place where we don't correctly check returns. Jeremy
Is this only in 3.6?
No, I expect it's in all versions. Patch for master will be pushed to autobuild and I'll follow up here with a patch for 3.5.x. Jeremy.
The code that is changed by this patch doesn't exist in master anymore. To me it seems that spnego_read_data() (read_negTokenInit, read_negTokenTarg) doesn't have this problem.
Ok, I finally had a chance to look over the 3.5.x code and it doesn't look like it's a problem here either - so I think it's a 3.6.x fix only. Yay ! Jeremy.
Comment on attachment 7904 [details] git-am fix for 3.6.next Looks good
Karolin, please pick for the next release.
Pushed to v3-6-test. Closing out bug report. Thanks!