krb5: Fix logic error in OAuth2 code verification#8948
Conversation
There was a problem hiding this comment.
Code Review
This pull request corrects logical errors in conditional checks within oidc_child_id.c and krb5_child.c. Specifically, it fixes the @ separator check in keycloak_lookup and ensures that user code validation in answer_idp_oauth2 correctly fails if either the length differs or the string comparison fails. The review feedback identifies a potential NULL pointer dereference vulnerability in krb5_child.c when data or data->user_code is NULL, and suggests adding a guard check to prevent a segmentation fault.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| } | ||
|
|
||
| if (strlen(data->user_code) != token_len && strcmp(data->user_code, token) != 0) { | ||
| if (strlen(data->user_code) != token_len || strcmp(data->user_code, token) != 0) { |
There was a problem hiding this comment.
If data or data->user_code is NULL, calling strlen(data->user_code) will result in a NULL pointer dereference and cause krb5_child to crash with a segmentation fault. Since oath2_data can be NULL if the challenge was not requested or failed to decode, we must safely guard against NULL pointers before performing string operations.
if (data == NULL || data->user_code == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "OAuth2 data or user code is missing!\n");
kerr = EINVAL;
goto done;
}
if (strlen(data->user_code) != token_len || strcmp(data->user_code, token) != 0) {|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request fixes logical conditions in oidc_child_id.c and krb5_child.c, and adds NULL pointer checks to prevent potential crashes. Specifically, it corrects the separator check for group lookups and ensures that the user code validation fails if either the length or the content does not match. The reviewer recommends also checking if token is NULL in krb5_child.c before calling strcmp to avoid a potential segmentation fault.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| if (data == NULL || data->user_code == NULL) { | ||
| DEBUG(SSSDBG_OP_FAILURE, "OAuth2 data or user code is missing!\n"); | ||
| kerr = EINVAL; | ||
| goto done; | ||
| } | ||
|
|
||
| if (strlen(data->user_code) != token_len || strcmp(data->user_code, token) != 0) { |
There was a problem hiding this comment.
While checking data and data->user_code for NULL is a great improvement to prevent potential null-pointer dereferences, token should also be checked for NULL before calling strcmp on it. If token is NULL, strcmp(data->user_code, token) will result in a segmentation fault, crashing the krb5_child process.
if (data == NULL || data->user_code == NULL || token == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "OAuth2 data, user code, or token is missing!\n");
kerr = EINVAL;
goto done;
}
if (strlen(data->user_code) != token_len || strcmp(data->user_code, token) != 0) {There was a problem hiding this comment.
Hi,
thank you for the logic fixes I agree with them. Please consider Gemini's second suggestion as well.
bye,
Sumit
sssd-bot
left a comment
There was a problem hiding this comment.
Review done using Claude Code / claude-opus-4-6
Functional Issues
-
Missing NULL check for
tokeninanswer_idp_oauth2—src/providers/krb5/krb5_child.c:1057The new NULL guard checks
dataanddata->user_code, buttoken(returned bysss_authtok_get_oauth2at line 1052) is not checked. Iftok->datais NULL in anSSS_AUTHTOK_TYPE_OAUTH2auth token, the subsequentstrcmp(data->user_code, token)at line 1063 would segfaultkrb5_child. This was already flagged by the Gemini review and endorsed by @sumit-bose. The guard should be:if (data == NULL || data->user_code == NULL || token == NULL) {
-
data == NULLcheck at line 1057 may be unreachable, masking a real failure —src/providers/krb5/krb5_child.c:1057answer_idp_oauth2is only called fromsss_krb5_auth_methods_answer(line 1453) when the question isSSSD_IDP_OAUTH2_QUESTION. In the preceding request phase,request_idp_oauth2decodes the challenge and returnsEINVALifdatais NULL (line 1011–1013). However,sss_krb5_auth_methods_requestloops over all questions and the finalkerrreflects the last-processed question, so if another question succeeds after the OAuth2 request fails,oath2_datacan remain NULL while the function returnsEOK, allowing the answer phase to callanswer_idp_oauth2withdata == NULL. The NULL check is therefore correct and necessary as a safety net — but consider whether the request loop should propagate the OAuth2 failure more explicitly rather than silently continuing. -
Missing
:relnote:commit message tag — Both fixes are user-visible: the&&-to-||change inanswer_idp_oauth2is a security-relevant fix (same-length but different user codes would bypass OAuth2 verification), and thekeycloak_lookupfix affects group lookup behavior. Per SSSD commit conventions, user-visible changes should carry a:relnote:tag.
Nits & Non-Functional Issues
-
Commit message style — The commit message
fix: Fix logic errors in Keycloak lookup and OAuth2 code verificationuses afix:prefix. SSSD usescomponent:prefixes (e.g.,krb5:,oidc_child:). Since this PR touches two separate components, consider splitting into two commits with appropriate prefixes, or using a shared prefix likeoidc:. -
No
Resolves:references — If there are upstream issues tracking these bugs, the commit message should includeResolves: https://github.com/SSSD/sssd/issues/<NUMBER>references. -
AI disclosure — Per the SSSD coding style guide, if generative AI assisted in producing this code, the commit message should include a trailer such as
Assisted-By: <tool> (<model>). -
Grammar in debug message —
src/providers/krb5/krb5_child.c:1064:"User code do not match!"should be"User code does not match!"(or"User codes do not match!"). This is a pre-existing issue but is worth fixing while the surrounding code is being modified.
Review of Existing Review Comments
-
Gemini comment (NULL check for
data/data->user_code): This suggestion was adopted in the PR — the guard at line 1057 was added. -
Gemini comment (also check
tokenfor NULL): This suggestion has not been addressed yet. @sumit-bose explicitly endorsed it ("Please consider Gemini's second suggestion as well"). This should be incorporated before merge — see functional issue above. -
@sumit-bose comment: Agrees with the logic fixes and asks the contributor to also address the
tokenNULL check. Still outstanding.
As @sumit-bose explained, this statement is incorrect. |
@alexey-tikhonov Thanks for your review, This PR has been updated and another PR(#8950) is to fix the logic error in oidc_child |
sumit-bose
left a comment
There was a problem hiding this comment.
Hi,
thank you for the fix, ACK.
The CI failures are not related imo.
bye,
Sumit
Fixed a logic errors: a wrong boolean operator in OAuth2 code verification that could allow authentication to proceed with a mismatched user code.
krb5: Fixed a logic error that could lead to incorrect OAuth2 user code verification.