The branch main has been updated by cy: URL: https://cgit.FreeBSD.org/src/commit/?id=efb5c07f91c5c11fb9bd32227ac74c2d08adf3cf
commit efb5c07f91c5c11fb9bd32227ac74c2d08adf3cf Author: Cy Schubert <[email protected]> AuthorDate: 2026-06-02 17:57:17 +0000 Commit: Cy Schubert <[email protected]> CommitDate: 2026-06-08 13:52:04 +0000 krb5: Fix null dereference in SPNEGO token processing krb5 1.22.1 erroneously removed a check from get_negTokenResp() for successful decoding of the mechListMIC field. Restore the check to prevent a null pointer dereference. Commit message details obtained from upstream commit. Obtained from: Upstream commit 4ae75cded MFC after: 3 days --- crypto/krb5/src/lib/gssapi/spnego/spnego_mech.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crypto/krb5/src/lib/gssapi/spnego/spnego_mech.c b/crypto/krb5/src/lib/gssapi/spnego/spnego_mech.c index 4a778364336e..1dd0f170651b 100644 --- a/crypto/krb5/src/lib/gssapi/spnego/spnego_mech.c +++ b/crypto/krb5/src/lib/gssapi/spnego/spnego_mech.c @@ -3517,6 +3517,8 @@ get_negTokenResp(OM_uint32 *minor_status, struct k5input *in, if (k5_der_get_value(&seq, CONTEXT | 0x03, &field)) { *mechListMIC = get_octet_string(&field); + if (*mechListMIC == GSS_C_NO_BUFFER) + return GSS_S_DEFECTIVE_TOKEN; /* Handle Windows 2000 duplicate response token */ if (*responseToken &&
