Fix potential memory leak in recent commit

In get_negTokenInit(), reject a zero-length mechTypes field before
copying it into *der_mechSet, to prevent allocating a zero-length GSS
buffer.

diff --git a/src/lib/gssapi/spnego/spnego_mech.c b/src/lib/gssapi/spnego/spnego_mech.c
index bdd75868ae108e466f4bb2673d9716ad9add8f13..5923c880b8debe45449b0eecafa71c5bfa913db1 100644 (file)
--- a/src/lib/gssapi/spnego/spnego_mech.c
+++ b/src/lib/gssapi/spnego/spnego_mech.c
@@ -3437,8 +3437,9 @@ get_negTokenInit(OM_uint32 *minor_status,
        if (!k5_der_get_value(&seq, SEQUENCE, &seq))
                return GSS_S_DEFECTIVE_TOKEN;
 
-       /* Get the contents of the mechTypes field. */
-       if (!k5_der_get_value(&seq, CONTEXT, &field))
+       /* Get the contents of the mechTypes field.  Reject an empty field here
+        * since we musn't allocate a zero-length buffer in the next step. */
+       if (!k5_der_get_value(&seq, CONTEXT, &field) || field.len == 0)
                return GSS_S_DEFECTIVE_TOKEN;
 
        /* Store a copy of the contents for MIC computation. */