IPA: Check RDN in ipa_add_ad_memberships_get_next

LDB functions ldb_dn_get_component_val and ldb_dn_get_rdn_val
validate dn before returning component value.
It should be valid DN according to RFC4514.

IPA/389ds might return problematic DN due to replication conflicts.
e.g. "cn=System: Read Service Delegations+nsuniqueid=b0736336-d06e11e5-8e8acabe-ce8d458d,cn=permissions,dc=example,dc=com"

It's better to check return value of these LDb function rather than
crash because of dereference of NULL pointer.

Resolves:
https://fedorahosted.org/sssd/ticket/2980

Reviewed-by: Sumit Bose <sbose@redhat.com>

1 files changed, 7 insertions, 1 deletions

diff --git a/src/providers/ipa/ipa_subdomains_ext_groups.c b/src/providers/ipa/ipa_subdomains_ext_groups.c
index 8e006663a..a8ba4dfe8 100644
--- a/src/providers/ipa/ipa_subdomains_ext_groups.c
+++ b/src/providers/ipa/ipa_subdomains_ext_groups.c
@@ -862,7 +862,13 @@ static void ipa_add_ad_memberships_get_next(struct tevent_req *req)
         goto fail;
     }
 
-    val = ldb_dn_get_component_val(group_dn, 0);
+    val = ldb_dn_get_rdn_val(group_dn);
+    if (val == NULL || val->data == NULL) {
+        DEBUG(SSSDBG_OP_FAILURE,
+              "Invalid group DN [%s].\n", state->groups[state->iter]);
+        ret = EINVAL;
+        goto fail;
+    }
 
 /* TODO: here is would be useful for have a filter type like BE_FILTER_DN to
  * directly fetch the group with the corresponding DN. */