Check context handle in gss_export_sec_context()

After commit 4f35b27a9ee38ca0b557ce8e6d059924a63d4eff, the
context_handle parameter in gss_export_sec_context() is dereferenced
before arguments are validated by val_exp_sec_ctx_args().  With a null
context_handle, the new code segfaults instead of failing gracefully.
Revert this part of the commit and only dereference context_handle if
it is non-null.

ticket: 8334 (new)
target_version: 1.14-next
target_version: 1.13-next
target_version: 1.12-next
tags: pullup

diff --git a/src/lib/gssapi/mechglue/g_exp_sec_context.c b/src/lib/gssapi/mechglue/g_exp_sec_context.c
index e5f95ad0eaf1b16f4814f273c6f16aca6c22aa78..b63745299f64dc4a75fd945e16311fed550a18fb 100644 (file)
--- a/src/lib/gssapi/mechglue/g_exp_sec_context.c
+++ b/src/lib/gssapi/mechglue/g_exp_sec_context.c
@@ -79,7 +79,7 @@ gss_buffer_t          interprocess_token;
 {
     OM_uint32          status;
     OM_uint32          length;
-    gss_union_ctx_id_t ctx = (gss_union_ctx_id_t) *context_handle;
+    gss_union_ctx_id_t ctx = NULL;
     gss_mechanism      mech;
     gss_buffer_desc    token = GSS_C_EMPTY_BUFFER;
     char               *buf;
@@ -94,6 +94,7 @@ gss_buffer_t          interprocess_token;
      * call it.
      */
 
+    ctx = (gss_union_ctx_id_t) *context_handle;
     mech = gssint_get_mechanism (ctx->mech_type);
     if (!mech)
        return GSS_S_BAD_MECH;
@@ -131,7 +132,7 @@ gss_buffer_t                interprocess_token;
 
 cleanup:
     (void) gss_release_buffer(minor_status, &token);
-    if (ctx->internal_ctx_id == GSS_C_NO_CONTEXT) {
+    if (ctx != NULL && ctx->internal_ctx_id == GSS_C_NO_CONTEXT) {
        /* If the mech deleted its context, delete the union context. */
        free(ctx->mech_type->elements);
        free(ctx->mech_type);