From 81a7e92c449655b28bfd6434d65b0f165248cc09 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavol=20=C5=BD=C3=A1=C4=8Dik?= <pzacik@redhat.com>
Date: Wed, 29 Apr 2026 10:00:03 +0200
Subject: [PATCH] gssapi: fail if the selected OID is not in client-supplied
 OIDs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This should not happen because the OID is selected
from a subset of client-supplied OID in gss_acquire_cred,
i.e., it would imply a bug in krb5. But better be safe,
it would later cause an out-of-bounds read in
ssh_gssapi_send_response.

Reported and patch provided by Meta (vulns@meta.com).

Signed-off-by: Pavol Žáčik <pzacik@redhat.com>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
---
 src/gssapi.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/gssapi.c b/src/gssapi.c
index 4d4ef5d7..c0af7ac2 100644
--- a/src/gssapi.c
+++ b/src/gssapi.c
@@ -330,6 +330,11 @@ ssh_gssapi_handle_userauth(ssh_session session, const char *user,
         }
     }
     gss_release_oid_set(&min_stat, &selected);
+    if (i == n_oid) {
+        SSH_LOG(SSH_LOG_TRACE, "GSSAPI: no selected OID matched client OIDs");
+        ssh_auth_reply_default(session, 0);
+        return SSH_ERROR;
+    }
     session->gssapi->user = strdup(user);
     session->gssapi->state = SSH_GSSAPI_STATE_RCV_TOKEN;
     return ssh_gssapi_send_response(session, oids[i]);