Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
spnego: CVE-2021-44758 send_reject when no mech selected
This fixes a DoS where an initial SPNEGO token that has no acceptable mechanisms causes a NULL dereference in acceptors. send_accept() when called with a non-zero 'initial_response' did not handle the case of gssspnego_ctx.preferred_mech_type equal to GSS_C_NO_OID. The failure to handle GSS_C_NO_OID has been present since the initial revision of gssapi/spnego, 2baa7e7 but might not have been exercised until later revisions. The introduction of opportunistic token handling in gss_accept_sec_context(), 3c9d326, introduced two bugs: 1. The optional mechToken field is used unconditionally possibly resulting in a segmentation fault. 2. If use of the opportunistic token is unsuccessful and the mech type list length is one, send_accept() can be called with 'initial_response' true and preferred mech set to GSS_C_NO_OID. b53c90d ("Make error reporting somewhat more correct for SPNEGO") attempted to fix the first issue and increased the likelihood of the second. This change alters the behavior of acceptor_start() so it calls send_reject() when no mechanism was selected.
- Loading branch information