shinys000114/libssh
1
0
Fork 0
mirror of https://git.libssh.org/projects/libssh.git synced 2026-06-11 12:56:21 +09:00
Code Issues Packages Projects Releases Wiki Activity

gssapi: fail if the selected OID is not in client-supplied OIDs

Browse Source 
This should not happen because the OID is selected
from a subset of client-supplied OID in gss_acquire_cred,
i.e., it would imply a bug in krb5. But better be safe,
it would later cause an out-of-bounds read in
ssh_gssapi_send_response.

Reported and patch provided by Meta (vulns@meta.com).

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
Pavol Žáčik
2026-04-29 10:00:03 +02:00
committed by Jakub Jelen
parent ad84df197c
commit 81a7e92c44
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/gssapi.c
View File

@@ -330,6 +330,11 @@ ssh_gssapi_handle_userauth(ssh_session session, const char *user,
}
}
gss_release_oid_set(&min_stat, &selected);
if (i == n_oid) {
SSH_LOG(SSH_LOG_TRACE, "GSSAPI: no selected OID matched client OIDs");
ssh_auth_reply_default(session, 0);
return SSH_ERROR;
}
session->gssapi->user = strdup(user);
session->gssapi->state = SSH_GSSAPI_STATE_RCV_TOKEN;
return ssh_gssapi_send_response(session, oids[i]);