From ca97bf697ab1561af1fbd12f5fd13466ec35a962 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Sun, 19 Oct 2025 18:14:29 +0300 Subject: [PATCH] Fix OTP preauth crash with null prompter In doprompt(), check if the caller provided a prompter before dereferencing it. Similar code returns either EIO or KRB5_LIBOS_CANTREADPWD; use EIO for this case as OTP preauth prompts for a PIN and not a Kerberos password. [ghudson@mit.edu: edited commit message] ticket: 9186 (new) --- src/lib/krb5/krb/preauth_otp.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c index 07ffc15c22..48003da62f 100644 --- a/src/lib/krb5/krb/preauth_otp.c +++ b/src/lib/krb5/krb/preauth_otp.c @@ -479,6 +479,9 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data, krb5_error_code retval; krb5_prompt_type prompt_type = KRB5_PROMPT_TYPE_PREAUTH; + if (prompter == NULL) + return EIO; + if (prompttxt == NULL || out == NULL) return EINVAL; -- 2.47.3