diff options
author | Martin Babinsky <mbabinsk@redhat.com> | 2015-01-28 16:25:14 +0100 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2015-01-30 11:02:16 +0100 |
commit | 13fb2b90672764bc549bb10b3749ec1369053caf (patch) | |
tree | b83aaa11e82cab4acbe1c75c3023bf3f811a54e6 /daemons/ipa-kdb | |
parent | eb09e77f16f06c2f488c495785c42bda0bb257b4 (diff) | |
download | freeipa-13fb2b90672764bc549bb10b3749ec1369053caf.tar.gz freeipa-13fb2b90672764bc549bb10b3749ec1369053caf.tar.xz freeipa-13fb2b90672764bc549bb10b3749ec1369053caf.zip |
ipa-kdb: more robust handling of principal addition/editing
The patch addresses the following defect reported by covscan in FreeIPA
master:
"""
Error: FORWARD_NULL (CWE-476):
/daemons/ipa-kdb/ipa_kdb_principals.c:1886: assign_zero: Assigning:
"principal" = "NULL".
/daemons/ipa-kdb/ipa_kdb_principals.c:1929:
var_deref_model: Passing null pointer "principal" to "ipadb_entry_to_mods",
which dereferences it.
/daemons/ipa-kdb/ipa_kdb_principals.c:1491:9:
deref_parm_in_call: Function "ipadb_get_ldap_mod_str" dereferences
"principal".
/daemons/ipa-kdb/ipa_kdb_principals.c:1174:5:
deref_parm_in_call: Function "strdup" dereferences "value"
"""
This is a part of series of patches related to
https://fedorahosted.org/freeipa/ticket/4795
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Diffstat (limited to 'daemons/ipa-kdb')
-rw-r--r-- | daemons/ipa-kdb/ipa_kdb_principals.c | 70 |
1 files changed, 47 insertions, 23 deletions
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c index e158c236e..9d43ebc66 100644 --- a/daemons/ipa-kdb/ipa_kdb_principals.c +++ b/daemons/ipa-kdb/ipa_kdb_principals.c @@ -1474,10 +1474,38 @@ done: return kerr; } +static krb5_error_code ipadb_principal_to_mods(krb5_context kcontext, + struct ipadb_mods *imods, + char *principal, + int mod_op) +{ + krb5_error_code kerr; + + if (principal == NULL) { + kerr = EINVAL; + goto done; + } + + kerr = ipadb_get_ldap_mod_str(imods, "krbPrincipalName", + principal, mod_op); + if (kerr) { + goto done; + } + kerr = ipadb_get_ldap_mod_str(imods, "ipaKrbPrincipalAlias", + principal, mod_op); + if (kerr) { + goto done; + } + + kerr = 0; + +done: + return kerr; +} + static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext, struct ipadb_mods *imods, krb5_db_entry *entry, - char *principal, int mod_op) { krb5_error_code kerr; @@ -1486,20 +1514,6 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext, /* check each mask flag in order */ - /* KADM5_PRINCIPAL */ - if (entry->mask & KMASK_PRINCIPAL) { - kerr = ipadb_get_ldap_mod_str(imods, "krbPrincipalName", - principal, mod_op); - if (kerr) { - goto done; - } - kerr = ipadb_get_ldap_mod_str(imods, "ipaKrbPrincipalAlias", - principal, mod_op); - if (kerr) { - goto done; - } - } - /* KADM5_PRINC_EXPIRE_TIME */ if (entry->mask & KMASK_PRINC_EXPIRE_TIME) { kerr = ipadb_get_ldap_mod_time(imods, @@ -1863,8 +1877,12 @@ static krb5_error_code ipadb_add_principal(krb5_context kcontext, goto done; } - kerr = ipadb_entry_to_mods(kcontext, imods, - entry, principal, LDAP_MOD_ADD); + kerr = ipadb_principal_to_mods(kcontext, imods, principal, LDAP_MOD_ADD); + if (kerr != 0) { + goto done; + } + + kerr = ipadb_entry_to_mods(kcontext, imods, entry, LDAP_MOD_ADD); if (kerr != 0) { goto done; } @@ -1895,6 +1913,11 @@ static krb5_error_code ipadb_modify_principal(krb5_context kcontext, return KRB5_KDB_DBNOTINITED; } + kerr = new_ipadb_mods(&imods); + if (kerr) { + goto done; + } + ied = (struct ipadb_e_data *)entry->e_data; if (!ied || !ied->entry_dn) { kerr = krb5_unparse_name(kcontext, entry->princ, &principal); @@ -1919,15 +1942,16 @@ static krb5_error_code ipadb_modify_principal(krb5_context kcontext, kerr = KRB5_KDB_INTERNAL_ERROR; goto done; } - } - kerr = new_ipadb_mods(&imods); - if (kerr) { - goto done; + kerr = ipadb_principal_to_mods(kcontext, imods, principal, + LDAP_MOD_REPLACE); + if (kerr != 0) { + goto done; + } + } - kerr = ipadb_entry_to_mods(kcontext, imods, - entry, principal, LDAP_MOD_REPLACE); + kerr = ipadb_entry_to_mods(kcontext, imods, entry, LDAP_MOD_REPLACE); if (kerr != 0) { goto done; } |