From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 21 Mar 2025 07:52:47 +0000 (+0200)
Subject: Fix IAKERB accept_sec_context null pointer crash
X-Git-Tag: krb5-1.22-beta1~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1416%2Fhead;p=thirdparty%2Fkrb5.git

Fix IAKERB accept_sec_context null pointer crash

When iakerb_gss_accept_sec_context() processes an initial token which
is not an IAKERB token (because the client already has a service
ticket), set *context_handle.  Otherwise subsequent GSS calls using
this context will dereference a null pointer and crash.

[ghudson@mit.edu: moved fix to cleanup handler to avoid code
duplication; added tests; rewrote commit message]

ticket: 9168 (new)
---

diff --git a/src/appl/gss-sample/t_gss_sample.py b/src/appl/gss-sample/t_gss_sample.py
index dad31e4b35..f823979e1b 100755
--- a/src/appl/gss-sample/t_gss_sample.py
+++ b/src/appl/gss-sample/t_gss_sample.py
@@ -116,6 +116,13 @@ for realm in multipass_realms():
     # test default (i.e., krb5) mechanism with GSS_C_DCE_STYLE
     tgs_test(realm, ['-dce'])
 
+    mark('AP')
+    ccache_save(realm)
+    tgs_test(realm, ['-krb5'])
+    tgs_test(realm, ['-spnego'])
+    tgs_test(realm, ['-iakerb'], ['-iakerb'])
+    tgs_test(realm, ['-dce'])
+
     mark('pw')
     pw_test(realm, ['-krb5'])
     pw_test(realm, ['-spnego'])
diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c
index 603433608d..1dd34287be 100644
--- a/src/lib/gssapi/krb5/iakerb.c
+++ b/src/lib/gssapi/krb5/iakerb.c
@@ -811,9 +811,9 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
     OM_uint32 major_status = GSS_S_FAILURE;
     OM_uint32 code;
     iakerb_ctx_id_t ctx;
-    int initialContextToken = (*context_handle == GSS_C_NO_CONTEXT);
+    krb5_boolean first_token = (*context_handle == GSS_C_NO_CONTEXT);
 
-    if (initialContextToken) {
+    if (first_token) {
         code = iakerb_alloc_context(&ctx, 0);
         if (code != 0)
             goto cleanup;
@@ -834,10 +834,6 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
             major_status = GSS_S_DEFECTIVE_TOKEN;
         if (code != 0)
             goto cleanup;
-        if (initialContextToken) {
-            *context_handle = (gss_ctx_id_t)ctx;
-            ctx = NULL;
-        }
         if (src_name != NULL)
             *src_name = GSS_C_NO_NAME;
         if (ret_flags != NULL)
@@ -872,9 +868,13 @@ iakerb_gss_accept_sec_context(OM_uint32 *minor_status,
         *mech_type = gss_mech_iakerb;
 
 cleanup:
-    if (initialContextToken && GSS_ERROR(major_status)) {
-        iakerb_release_context(ctx);
-        *context_handle = GSS_C_NO_CONTEXT;
+    if (first_token) {
+        if (GSS_ERROR(major_status)) {
+            iakerb_release_context(ctx);
+            *context_handle = GSS_C_NO_CONTEXT;
+        } else {
+            *context_handle = (gss_ctx_id_t)ctx;
+        }
     }
 
     *minor_status = code;