[Freeipa-devel] [freeipa PR#3622][opened] Fix two error paths aroundd ipadb_get_global_config()

frozencemetery via FreeIPA-devel Wed, 04 Sep 2019 10:51:21 -0700

   URL: https://github.com/freeipa/freeipa/pull/3622
Author: frozencemetery
 Title: #3622: Fix two error paths aroundd ipadb_get_global_config()
Action: opened


PR body:
"""

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3622/head:pr3622
git checkout pr3622

From a3e9d8673f695525ad8553315eb450a49ff701ca Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Fri, 2 Aug 2019 15:55:20 -0400
Subject: [PATCH 1/2] [KDB] Log INFO message when LDAP connection fails on
 startup

Since krb5_klog_syslog() always needs parameters from syslog.h, move the
include into ipa_krb5.h.

Signed-off-by: Robbie Harwood <rharw...@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb.c          | 6 ++++--
 daemons/ipa-kdb/ipa_kdb_audit_as.c | 1 -
 daemons/ipa-kdb/ipa_kdb_certauth.c | 1 -
 daemons/ipa-kdb/ipa_kdb_mspac.c    | 1 -
 util/ipa_krb5.h                    | 1 +
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 20967316ed..e19505821a 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -24,6 +24,7 @@
 #include <sys/utsname.h>
 
 #include "ipa_kdb.h"
+#include "ipa_krb5.h"
 
 #define IPADB_GLOBAL_CONFIG_CACHE_TIME 60
 
@@ -586,8 +587,9 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
 
     ret = ipadb_get_connection(ipactx);
     if (ret != 0) {
-        /* not a fatal failure, as the LDAP server may be temporarily down */
-        /* TODO: spam syslog with this error */
+        /* Not a fatal failure, as the LDAP server may be temporarily down. */
+        krb5_klog_syslog(LOG_INFO,
+                         "Didn't connect to LDAP on startup: %d", ret);
     }
 
     kerr = krb5_db_set_context(kcontext, ipactx);
diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
index c68a67aa2a..77748a75d6 100644
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
@@ -20,7 +20,6 @@
  * along with this program.  If not, see <http://www.gnu.org/licenses/>.
  */
 
-#include <syslog.h>
 #include "ipa_kdb.h"
 #include "ipa_pwd.h"
 
diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
index 82589f2f92..47911aa3de 100644
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
@@ -39,7 +39,6 @@
 
 #include <errno.h>
 //#include <krb5/certauth_plugin.h>
-#include <syslog.h>
 #include <sss_certmap.h>
 
 #include "ipa_krb5.h"
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 09eb528226..615a23e95b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -25,7 +25,6 @@
 #include "ipa_kdb.h"
 #include "ipa_mspac.h"
 #include <talloc.h>
-#include <syslog.h>
 #include <unicase.h>
 #include "util/time.h"
 #include "gen_ndr/ndr_krb5pac.h"
diff --git a/util/ipa_krb5.h b/util/ipa_krb5.h
index f64b39c696..c514580d07 100644
--- a/util/ipa_krb5.h
+++ b/util/ipa_krb5.h
@@ -4,6 +4,7 @@
 #include <lber.h>
 #include <krb5/krb5.h>
 #include <kdb.h>
+#include <syslog.h>
 
 struct krb_key_salt {
     krb5_enctype enctype;

From 5a6352a9cc64c59b923f63b7fb2c8842af9187d4 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharw...@redhat.com>
Date: Wed, 4 Sep 2019 13:48:14 -0400
Subject: [PATCH 2/2] [KDB] Fix NULL pointer dereference in
 maybe_require_preauth()

ipadb_get_global_config() is permitted to return NULL.

Signed-off-by: Robbie Harwood <rharw...@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb_principals.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index b27612258b..731348e01f 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -1057,7 +1057,7 @@ static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx,
     struct ipadb_e_data *ied;
 
     config = ipadb_get_global_config(ipactx);
-    if (config->disable_preauth_for_spns) {
+    if (config && config->disable_preauth_for_spns) {
         ied = (struct ipadb_e_data *)entry->e_data;
         if (ied && ied->ipa_user != true) {
             /* not a user, assume SPN */

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#3622][opened] Fix two error paths aroundd ipadb_get_global_config()

Reply via email to