From 466f5a539be1e4c6e7cfb396a2f406e1eb8c428d Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Mon, 14 Oct 2013 11:21:02 +0200
Subject: krb5: Check return value of sss_krb5_princ_realm

sss_krb5_princ_realm set output parameter realm to NULL and len to 0
in case of failure. Clang static analysers reported warning
"Null pointer passed as an argument to a 'nonnull' parameter"
in function match_principal. It was possible, that realm_name with value NULL
could be used in strncmp.

Reviewed-by: Pavel Reichl <preichl@redhat.com>
---
 src/util/sss_krb5.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'src/util/sss_krb5.c')

diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index 89240b86d..b5cc55376 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -212,6 +212,14 @@ errno_t select_principal_from_keytab(TALLOC_CTX *mem_ctx,
             sss_krb5_princ_realm(krb_ctx, client_princ,
                                  &realm_name,
                                  &realm_len);
+            if (realm_len == 0) {
+                DEBUG(SSSDBG_CRIT_FAILURE, "sss_krb5_princ_realm failed.\n");
+                if (_principal) talloc_zfree(*_principal);
+                if (_primary) talloc_zfree(*_primary);
+                ret = EINVAL;
+                goto done;
+            }
+
             *_realm = talloc_asprintf(mem_ctx, "%.*s",
                                       realm_len, realm_name);
             if (!*_realm) {
@@ -279,6 +287,10 @@ static bool match_principal(krb5_context ctx,
     bool ret = false;
 
     sss_krb5_princ_realm(ctx, principal, &realm_name, &realm_len);
+    if (realm_len == 0) {
+        DEBUG(SSSDBG_MINOR_FAILURE, "sss_krb5_princ_realm failed.\n");
+        return false;
+    }
 
     tmp_ctx = talloc_new(NULL);
     if (!tmp_ctx) {
-- 
cgit