Check context handle in gss_export_sec_context()

After commit 4f35b27, the context_handle parameter in gss_export_sec_context() is dereferenced before arguments are validated by val_exp_sec_ctx_args(). With a null context_handle, the new code segfaults instead of failing gracefully. Revert this part of the commit and only dereference context_handle if it is non-null. (cherry picked from commit b6f29cb) ticket: 8334 version_fixed: 1.13.4 tags: -pullup status: resolved
krb5 · Jan 8, 2016 · b77b952 · b77b952
1 parent d19f02e
commit b77b952
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/src/lib/gssapi/mechglue/g_exp_sec_context.c b/src/lib/gssapi/mechglue/g_exp_sec_context.c
@@ -79,7 +79,7 @@ gss_buffer_t		interprocess_token;
 {
     OM_uint32		status;
     OM_uint32 		length;
-    gss_union_ctx_id_t	ctx = (gss_union_ctx_id_t) *context_handle;
+    gss_union_ctx_id_t	ctx = NULL;
     gss_mechanism	mech;
     gss_buffer_desc	token = GSS_C_EMPTY_BUFFER;
     char		*buf;
@@ -94,6 +94,7 @@ gss_buffer_t		interprocess_token;
      * call it.
      */
 
+    ctx = (gss_union_ctx_id_t) *context_handle;
     mech = gssint_get_mechanism (ctx->mech_type);
     if (!mech)
 	return GSS_S_BAD_MECH;
@@ -131,7 +132,7 @@ gss_buffer_t		interprocess_token;
 
 cleanup:
     (void) gss_release_buffer(minor_status, &token);
-    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) {
+    if (ctx != NULL && ctx->internal_ctx_id == GSS_C_NO_CONTEXT) {
 	/* If the mech deleted its context, delete the union context. */
 	free(ctx->mech_type->elements);
 	free(ctx->mech_type);