#719 Possible NULL-dereference in pam_check_user_search
Closed: Fixed None Opened 10 years ago by sgallagh.

At conditional (1): "dom" taking the false branch.
Comparing "dom" to null implies that "dom" might be null.
  773    while (dom) {
  774       /* if it is a domainless search, skip domains that require fully
  775         * qualified names instead */
  776        while (dom && !preq->pd->domain && dom->fqnames) {
  777            dom = dom->next;
  778        }
  779
  780        if (!dom) break;
  781
  782        if (dom != preq->domain) {
  783            /* make sure we reset the check_provider flag when we check
  784             * a new domain */
  785            preq->check_provider = NEED_CHECK_PROVIDER(dom->provider);
  786        }
  787
  788        /* make sure to update the preq if we changed domain */
  789        preq->domain = dom;
  790
  791        /* TODO: check negative cache ? */
  792
  793        /* Always try to refresh the cache first on authentication */
  794        if (preq->check_provider &&
  795            (preq->pd->cmd == SSS_PAM_AUTHENTICATE ||
  796             preq->pd->cmd == SSS_PAM_SETCRED)) {
  797
  798            /* call provider first */
  799            break;
  800        }
  801
  802        DEBUG(4, ("Requesting info for [%s@%s]\n", name, dom->name));
  803
  804        ret = sysdb_get_ctx_from_list(cctx->rctx->db_list, dom, &sysdb);
  805        if (ret != EOK) {
  806            DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n"));
  807            preq->pd->pam_status = PAM_SYSTEM_ERR;
  808            return EFAULT;
  809        }
  810        ret = sysdb_getpwnam(preq, sysdb, dom, name, &preq->res);
  811        if (ret != EOK) {
  812            DEBUG(1, ("Failed to make request to our cache!\n"));
  813            return EIO;
  814        }
  815
  816        if (preq->res->count > 1) {
  817            DEBUG(0, ("getpwnam call returned more than one result !?!\n"));
  818            return ENOENT;
  819        }
  820
  821        if (preq->res->count == 0) {
  822            /* if a multidomain search, try with next */
  823            if (!preq->pd->domain) {
  824                dom = dom->next;
  825                continue;
  826            }
  827
  828            DEBUG(2, ("No results for getpwnam call\n"));
  829
  830            /* TODO: store negative cache ? */
  831
  832            return ENOENT;
  833        }
  834
  835        /* One result found */
  836
  837        /* if we need to check the remote account go on */
  838        if (preq->check_provider) {
  839            cacheExpire = ldb_msg_find_attr_as_uint64(preq->res->msgs[0],
  840                                                      SYSDB_CACHE_EXPIRE, 0);
  841            if (cacheExpire < time(NULL)) {
  842                break;
  843            }
  844        }
  845
  846        DEBUG(6, ("Returning info for user [%s@%s]\n", name, dom->name));
  847
  848        return EOK;
  849    }
  850
At conditional (2): "preq->check_provider" taking the true branch.
  851    if (preq->check_provider) {
  852
  853        /* dont loop forever :-) */
  854        preq->check_provider = false;
  855
Dereferencing null variable "dom".
  856        ret = sss_dp_send_acct_req(preq->cctx->rctx, preq,
  857                                   pam_check_user_dp_callback, preq,
  858                                   SSS_CLI_SOCKET_TIMEOUT/2,
  859                                   dom->name, false, SSS_DP_USER, name, 0);

After the while(dom) loop, we should check for whether dom is NULL and set preq->check_provider to false if so


Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.5.0

Fixed by 28a8ae0

coverity: => 10010
resolution: => fixed
status: new => closed

Fields changed

rhbz: => 0

Metadata Update from @sgallagh:
- Issue assigned to sgallagh
- Issue set to the milestone: SSSD 1.5.0

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/1761

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata