Add NegoEx assertion to squash defect

Coverity sees negoex_init() test whether input_token is null before
parsing messages, then dereference input_token in verify_checksum().
Of course verify_checksum() will not find a checksum message if no
messages were parsed.  Add an assert to squash the false positive
forward-null defect.

diff --git a/src/lib/gssapi/spnego/negoex_ctx.c b/src/lib/gssapi/spnego/negoex_ctx.c
index e69b7200e3af7d35e876dfd3718c2146de0d7e03..18d9d4147de2aa497423bc3cf83256c7b9321899 100644 (file)
--- a/src/lib/gssapi/spnego/negoex_ctx.c
+++ b/src/lib/gssapi/spnego/negoex_ctx.c
@@ -454,6 +454,7 @@ verify_checksum(OM_uint32 *minor, spnego_gss_ctx_id_t ctx,
 
     /* Verify the checksum over the existing transcript and the portion of the
      * input token leading up to the verify message. */
+    assert(input_token != NULL);
     iov[0].flags = KRB5_CRYPTO_TYPE_DATA;
     iov[0].data = make_data(ctx->negoex_transcript.data,
                             ctx->negoex_transcript.len);