From 82464078c0d38421b788393838ebfa401aa1391e Mon Sep 17 00:00:00 2001
From: Fabiano Fidêncio <fidencio@redhat.com>
Date: Fri, 6 Oct 2017 13:04:15 +0200
Subject: PAM: Avoid overwriting pam_status in _lookup_by_cert_done()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In case add_pam_cert_response() failed pam_status has to be set to
PAM_AUTHINFO_UNAVAIL. Although it's done properly in the code,
pam_status was overwritten just after the if block with PAM_SUCCESS.

The original faulty code was added as part of 32474fa2f0.

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
---
 src/responder/pam/pamsrv_cmd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
index 7081aacfd..51d818565 100644
--- a/src/responder/pam/pamsrv_cmd.c
+++ b/src/responder/pam/pamsrv_cmd.c
@@ -1568,12 +1568,12 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
                                             preq->module_name,
                                             preq->key_id,
                                             SSS_PAM_CERT_INFO_WITH_HINT);
+                preq->pd->pam_status = PAM_SUCCESS;
                 if (ret != EOK) {
                     DEBUG(SSSDBG_OP_FAILURE, "add_pam_cert_response failed.\n");
                     preq->pd->pam_status = PAM_AUTHINFO_UNAVAIL;
                 }
                 ret = EOK;
-                preq->pd->pam_status = PAM_SUCCESS;
                 pam_reply(preq);
                 goto done;
             }
-- 
cgit