s4:kdc: Change signature of is_kadmin_changepw() to accommodate failure cases

author Joseph Sutton <josephsutton@catalyst.net.nz>

Wed, 20 Sep 2023 23:21:28 +0000 (11:21 +1200)

committer Andrew Bartlett <abartlet@samba.org>

Thu, 26 Oct 2023 01:24:32 +0000 (01:24 +0000)
author Joseph Sutton <josephsutton@catalyst.net.nz>
Wed, 20 Sep 2023 23:21:28 +0000 (11:21 +1200)
committer Andrew Bartlett <abartlet@samba.org>
Thu, 26 Oct 2023 01:24:32 +0000 (01:24 +0000)
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c

index 91449c258d6d331fbf3e68fe6cf8a970b0f9f92a..9f3f276bc549bfcd0f3f83f2730235d851b7b652 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -955,12 +955,27 @@ static int principal_comp_strcmp(krb5_context context,
                                          component, string, false);
  }
  
-static bool is_kadmin_changepw(krb5_context context,
-                              krb5_const_principal principal)
+static krb5_error_code is_kadmin_changepw(krb5_context context,
+                                         krb5_const_principal principal,
+                                         bool *is_changepw)
  {
-       return krb5_princ_size(context, principal) == 2 &&
-               (principal_comp_strcmp(context, principal, 0, "kadmin") == 0) &&
-               (principal_comp_strcmp(context, principal, 1, "changepw") == 0);
+       int cmp = 0;
+
+       if (krb5_princ_size(context, principal) != 2) {
+               *is_changepw = false;
+               return 0;
+       }
+
+       cmp = principal_comp_strcmp(context, principal, 0, "kadmin");
+       if (cmp != 0) {
+               *is_changepw = false;
+               return 0;
+       }
+
+       cmp = principal_comp_strcmp(context, principal, 1, "changepw");
+
+       *is_changepw = cmp == 0;
+       return 0;
  }
  
  static krb5_error_code samba_kdc_get_entry_principal(
@@ -1333,10 +1348,17 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
                  * 'change password', as otherwise we could get into
                  * trouble, and not enforce the password expiry.
                  * Instead, only do it when request is for the kpasswd service */
-               if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER &&
-                   is_kadmin_changepw(context, principal) &&
-                   lpcfg_is_my_domain_or_realm(lp_ctx, realm)) {
-                       entry->flags.change_pw = 1;
+               if (ent_type == SAMBA_KDC_ENT_TYPE_SERVER) {
+                       bool is_changepw = false;
+
+                       ret = is_kadmin_changepw(context, principal, &is_changepw);
+                       if (ret) {
+                               goto out;
+                       }
+
+                       if (is_changepw && lpcfg_is_my_domain_or_realm(lp_ctx, realm)) {
+                               entry->flags.change_pw = 1;
+                       }
                 }
  
                 TALLOC_FREE(realm);
author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Wed, 20 Sep 2023 23:21:28 +0000 (11:21 +1200)
committer	Andrew Bartlett <abartlet@samba.org>
	Thu, 26 Oct 2023 01:24:32 +0000 (01:24 +0000)