sssd/0015-ldap_child-make-sure-invalid-krb5-context-is-not-use.patch
Alexey Tikhonov e0d298f0ae Resolves: RHEL-67671 - Label DP_OPT_DYNDNS_REFRESH_OFFSET has no corresponding option [rhel-8.10.z]
Resolves: RHEL-68507 - sssd backend process segfaults when krb5.conf is invalid [rhel-8.10.z]
Resolves: RHEL-66267 - SSSD needs an option to indicate if the LDAP server can run the exop with an anonymous bind or not [rhel-8.10.z]
Resolves: RHEL-67128 - Excessive "Domain not found' messages logged to sssd_nss & sssd_be in multidomain AD forest [rhel-8.10.z]
Resolves: RHEL-66272 - sssd is skipping GPO evaluation with auto_private_groups [rhel-8.10.z]
Resolves: RHEL-66277 - possible regression of rhbz#2196521 [rhel-8.10.z]
2024-11-22 15:13:17 +01:00

56 lines
1.7 KiB
Diff

From 3e7e0cc7038c89132c9f4b8a48b6b1e0c0febff4 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 21 Nov 2024 09:16:09 +0100
Subject: [PATCH 15/15] ldap_child: make sure invalid krb5 context is not used
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Resolves: https://github.com/SSSD/sssd/issues/7715
Reviewed-by: Alejandro López <allopez@redhat.com>
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
(cherry picked from commit fce94aec3f335cbe33c509b14e389b9df0748744)
---
src/util/sss_krb5.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/util/sss_krb5.c b/src/util/sss_krb5.c
index 3f57e5b26..f44df2b5f 100644
--- a/src/util/sss_krb5.c
+++ b/src/util/sss_krb5.c
@@ -83,6 +83,10 @@ const char *sss_printable_keytab_name(krb5_context ctx, const char *keytab_name)
return keytab_name;
}
+ if (ctx == NULL) {
+ return "-unknown-";
+ }
+
if (krb5_kt_default_name(ctx, buff, sizeof(buff)) != 0) {
return "-default keytab-";
}
@@ -1355,8 +1359,9 @@ krb5_error_code sss_krb5_init_context(krb5_context *context)
{
krb5_error_code kerr;
const char *msg;
+ krb5_context ctx;
- kerr = krb5_init_context(context);
+ kerr = krb5_init_context(&ctx);
if (kerr != 0) {
/* It is safe to call (sss_)krb5_get_error_message() with NULL as first
* argument. */
@@ -1365,6 +1370,8 @@ krb5_error_code sss_krb5_init_context(krb5_context *context)
"Failed to init Kerberos context [%s]\n", msg);
sss_log(SSS_LOG_CRIT, "Failed to init Kerberos context [%s]\n", msg);
sss_krb5_free_error_message(NULL, msg);
+ } else {
+ *context = ctx;
}
return kerr;
--
2.46.1