heimdal: Fix NULL deref

A flawed logical condition allows a malicious actor to remotely
trigger a NULL pointer dereference using a crafted negTokenInit
token.

Upstream notes:

    Reported to Heimdal by Michał Kępień <michal@isc.org>.

    From the report:

    Acknowledgement
    ---------------

    This flaw was found while working on addressing ZDI-CAN-12302: ISC BIND
    TKEY Query Heap-based Buffer Overflow Remote Code Execution
    Vulnerability, which was reported to ISC by Trend Micro's Zero Day

Security:	CVE-2022-3116
Obtained from:	upstream 7a19658c1
MFC after:	1 week
This commit is contained in:
Cy Schubert
2024-02-15 07:41:07 -08:00
parent 60616b445e
commit fc773115fa
@@ -605,7 +605,7 @@ acceptor_start
* If opportunistic token failed, lets try the other mechs.
*/
if (!first_ok && ni->mechToken != NULL) {
if (!first_ok) {
size_t j;
preferred_mech_type = GSS_C_NO_OID;