git: 88bdc4bb60df - releng/13.3 - heimdal: Fix NULL deref

From: Cy Schubert <cy_at_FreeBSD.org>
Date: Wed, 21 Feb 2024 14:01:57 UTC
The branch releng/13.3 has been updated by cy:

URL: https://cgit.FreeBSD.org/src/commit/?id=88bdc4bb60df6aab4457d244c5fbf4b56b22ff6d

commit 88bdc4bb60df6aab4457d244c5fbf4b56b22ff6d
Author:     Cy Schubert <cy@FreeBSD.org>
AuthorDate: 2024-02-15 15:41:07 +0000
Commit:     Cy Schubert <cy@FreeBSD.org>
CommitDate: 2024-02-21 14:01:48 +0000

    heimdal: Fix NULL deref
    
    A flawed logical condition allows a malicious actor to remotely
    trigger a NULL pointer dereference using a crafted negTokenInit
    token.
    
    Upstream notes:
    
        Reported to Heimdal by Michał Kępień <michal@isc.org>.
    
        From the report:
    
        Acknowledgement
        ---------------
    
        This flaw was found while working on addressing ZDI-CAN-12302: ISC BIND
        TKEY Query Heap-based Buffer Overflow Remote Code Execution
        Vulnerability, which was reported to ISC by Trend Micro's Zero Day
    
    Security:       CVE-2022-3116
    Obtained from:  upstream 7a19658c1
    MFS requested by:       re (cperciva)
    Approved by:            re (cperciva)
    
    (cherry picked from commit fc773115fa2dbb6c01377f2ed47dabf79a4e361a)
    (cherry picked from commit 6b421e431a2de6eb9e8bd670efffe76e6617d520)
---
 crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c b/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c
index b60dc19ad8e3..48542f06fcbe 100644
--- a/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c
+++ b/crypto/heimdal/lib/gssapi/spnego/accept_sec_context.c
@@ -605,7 +605,7 @@ acceptor_start
      * If opportunistic token failed, lets try the other mechs.
      */
 
-    if (!first_ok && ni->mechToken != NULL) {
+    if (!first_ok) {
 	size_t j;
 
 	preferred_mech_type = GSS_C_NO_OID;