From 42e30da621287ba7d9c11a329463632efaf895c0 Mon Sep 17 00:00:00 2001 From: Jeffrey Altman Date: Tue, 1 Mar 2022 15:10:36 -0500 Subject: [PATCH] gssapi/spnego: send_accept initial_response handle no preferred mech send_accept() when called with a non-zero 'initial_response' did not handle the case of gssspnego_ctx.preferred_mech_type equal to GSS_C_NO_OID. The failure to handle GSS_C_NO_OID has been present since the initial revision of gssapi/spnego, 2baa7e7d613c26b2b037b368931519a84baec53d but might not have been exercised until later revisions. The introduction of opportunistic token handling in gss_accept_sec_context(), 3c9d3266f47f594a29068c9d629908e7000ac663, introduced two bugs: 1. The optional mechToken field is used unconditionally possibly resulting in a segmentation fault. 2. If use of the opportunistic token is unsuccessful and the mech type list length is one, send_accept() can be called with 'initial_response' true and preferred mech set to GSS_C_NO_OID. b53c90da0890a9cce6f95c552f094ff6d69027bf ("Make error reporting somewhat more correct for SPNEGO") attempted to fix the first issue and increased the likelihood of the second. This change alters the behavior of send_accept() so it constructs a response without a supportedMech. Change-Id: If7c7931b1310e5893f1e3adf1ae9dc3258350828 Reported-by: michal@isc.org --- lib/gssapi/spnego/accept_sec_context.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/gssapi/spnego/accept_sec_context.c b/lib/gssapi/spnego/accept_sec_context.c index 48b786c29..1ddd814c3 100644 --- a/lib/gssapi/spnego/accept_sec_context.c +++ b/lib/gssapi/spnego/accept_sec_context.c @@ -186,7 +186,8 @@ send_accept (OM_uint32 *minor_status, *(nt.u.negTokenResp.negResult) = accept_incomplete; } - if (initial_response) { + if (initial_response + && context_handle->preferred_mech_type != GSS_C_NO_OID) { ALLOC(nt.u.negTokenResp.supportedMech, 1); if (nt.u.negTokenResp.supportedMech == NULL) { free_NegotiationToken(&nt); -- 2.35.1