Skip to content
Open
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions src/providers/krb5/krb5_child.c
Original file line number Diff line number Diff line change
Expand Up @@ -1054,8 +1054,14 @@ static krb5_error_code answer_idp_oauth2(krb5_context kctx,
goto done;
}

if (strlen(data->user_code) != token_len && strcmp(data->user_code, token) != 0) {
DEBUG(SSSDBG_OP_FAILURE, "User code do not match!\n");
if (data == NULL || data->user_code == NULL || token == NULL) {
DEBUG(SSSDBG_OP_FAILURE, "OAuth2 data, user code, or token is missing!\n");
kerr = EINVAL;
goto done;
}

if (strlen(data->user_code) != token_len || strcmp(data->user_code, token) != 0) {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

If data or data->user_code is NULL, calling strlen(data->user_code) will result in a NULL pointer dereference and cause krb5_child to crash with a segmentation fault. Since oath2_data can be NULL if the challenge was not requested or failed to decode, we must safely guard against NULL pointers before performing string operations.

    if (data == NULL || data->user_code == NULL) {
        DEBUG(SSSDBG_OP_FAILURE, "OAuth2 data or user code is missing!\n");
        kerr = EINVAL;
        goto done;
    }

    if (strlen(data->user_code) != token_len || strcmp(data->user_code, token) != 0) {

DEBUG(SSSDBG_OP_FAILURE, "User code does not match!\n");
kerr = EINVAL;
goto done;
}
Expand Down
Loading