From d86db9d2c107c66372f422f1d628624b1a55ad45 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 17 Jan 2025 09:44:22 +0200
Subject: [PATCH] ipa-otpd: do not pass OIDC client secret if there is none to
 pass

If there is no client secret specified for the OIDC client, don't push
it to oidc_child via stdin. oidc_child does only expect client secret if
--client-secret-stdin option was specified and we already specify it
only if client secret is not empty.

In addition, if client secret is empty (it is a public OIDC client),
then strlen(NULL) would crash in glibc internals. Avoid that!

Fixes: https://pagure.io/freeipa/issue/9734

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 daemons/ipa-otpd/oauth2.c | 29 +++++++++++++++++++----------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/daemons/ipa-otpd/oauth2.c b/daemons/ipa-otpd/oauth2.c
index 52d7d7c9cb6c410bdbaa2e5eddccfea2204d3e69..0eb43b2372701d47b9ef62cbbdb32b97a5f7a0ba 100644
--- a/daemons/ipa-otpd/oauth2.c
+++ b/daemons/ipa-otpd/oauth2.c
@@ -104,17 +104,26 @@ static void oauth2_on_child_writable(verto_ctx *vctx, verto_ev *ev)
     }
 
     if (child_ctx->oauth2_state == OAUTH2_GET_DEVICE_CODE) {
-        io = write(verto_get_fd(ev), child_ctx->item->idp.ipaidpClientSecret,
-                   strlen(child_ctx->item->idp.ipaidpClientSecret));
+        if (child_ctx->item->idp.ipaidpClientSecret != NULL) {
+            io = write(verto_get_fd(ev), child_ctx->item->idp.ipaidpClientSecret,
+                       strlen(child_ctx->item->idp.ipaidpClientSecret));
+        } else {
+            io = 0;
+        }
     } else {
-        iov[0].iov_base = child_ctx->item->idp.ipaidpClientSecret;
-        iov[0].iov_len = strlen(child_ctx->item->idp.ipaidpClientSecret);
-        iov[1].iov_base = "\n";
-        iov[1].iov_len = 1;
-        iov[2].iov_base = child_ctx->saved_item->oauth2.device_code_reply;
-        iov[2].iov_len = strlen(child_ctx->saved_item->oauth2.device_code_reply);
-
-        io = writev(verto_get_fd(ev), iov, 3);
+        int idx = 0;
+        if (child_ctx->item->idp.ipaidpClientSecret != NULL) {
+            iov[idx].iov_base = child_ctx->item->idp.ipaidpClientSecret;
+            iov[idx].iov_len = strlen(child_ctx->item->idp.ipaidpClientSecret);
+	    idx++;
+            iov[idx].iov_base = "\n";
+            iov[idx].iov_len = 1;
+	    idx++;
+        }
+        iov[idx].iov_base = child_ctx->saved_item->oauth2.device_code_reply;
+        iov[idx].iov_len = strlen(child_ctx->saved_item->oauth2.device_code_reply);
+        idx++;
+        io = writev(verto_get_fd(ev), iov, idx);
     }
     otpd_queue_item_free(child_ctx->saved_item);
 
-- 
2.47.1