Skip to content
Permalink
Browse files Browse the repository at this point in the history
spnego: CVE-2021-44758 send_reject when no mech selected
This fixes a DoS where an initial SPNEGO token that has no acceptable
mechanisms causes a NULL dereference in acceptors.

send_accept() when called with a non-zero 'initial_response' did
not handle the case of gssspnego_ctx.preferred_mech_type equal
to GSS_C_NO_OID.

The failure to handle GSS_C_NO_OID has been present since the
initial revision of gssapi/spnego,
2baa7e7 but might not have
been exercised until later revisions.

The introduction of opportunistic token handling in
gss_accept_sec_context(), 3c9d326,
introduced two bugs:

 1. The optional mechToken field is used unconditionally
    possibly resulting in a segmentation fault.

 2. If use of the opportunistic token is unsuccessful and the
    mech type list length is one, send_accept() can be called
    with 'initial_response' true and preferred mech set to
    GSS_C_NO_OID.

b53c90d ("Make error reporting
somewhat more correct for SPNEGO") attempted to fix the first
issue and increased the likelihood of the second.

This change alters the behavior of acceptor_start() so it calls
send_reject() when no mechanism was selected.
  • Loading branch information
nicowilliams committed Nov 4, 2022
1 parent f82cd2e commit f9ec700
Showing 1 changed file with 8 additions and 6 deletions.
14 changes: 8 additions & 6 deletions lib/gssapi/spnego/accept_sec_context.c
Expand Up @@ -619,13 +619,15 @@ acceptor_start
if (ret == 0)
break;
}
if (preferred_mech_type == GSS_C_NO_OID) {
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
free_NegotiationToken(&nt);
return ret;
}
}

ctx->preferred_mech_type = preferred_mech_type;

ctx->preferred_mech_type = preferred_mech_type;
if (preferred_mech_type == GSS_C_NO_OID) {
send_reject(minor_status, output_token);
HEIMDAL_MUTEX_unlock(&ctx->ctx_id_mutex);
free_NegotiationToken(&nt);
return ret;
}

/*
Expand Down

0 comments on commit f9ec700

Please sign in to comment.