From: Greg Hudson <ghudson@mit.edu>
Date: Sun, 18 May 2014 21:57:25 +0000 (-0400)
Subject: Fix invalid JSON handling in KDC OTP module
X-Git-Tag: krb5-1.13-alpha1~137
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dab1c234e15afdc64dfe776bdbc65bbc17d07e12;p=thirdparty%2Fkrb5.git

Fix invalid JSON handling in KDC OTP module

If the OTP configuration for a principal contains invalid JSON, the
KDC OTP module calls k5_json_get_tid on a null pointer, causing the
KDC process to crash.  Fix this bug by checking the return value of
k5_json_decode in decode_config_json.

ticket: 7912 (new)
target_version: 1.12.2
tags: pullup
---

diff --git a/src/plugins/preauth/otp/otp_state.c b/src/plugins/preauth/otp/otp_state.c
index 4643dff9a2..7deb462d69 100644
--- a/src/plugins/preauth/otp/otp_state.c
+++ b/src/plugins/preauth/otp/otp_state.c
@@ -401,6 +401,8 @@ decode_config_json(const char *config, k5_json_array *out)
 
     /* Decode the config string and make sure it's an array. */
     retval = k5_json_decode((config != NULL) ? config : "[{}]", &val);
+    if (retval != 0)
+        goto error;
     if (k5_json_get_tid(val) != K5_JSON_TID_ARRAY) {
         retval = EINVAL;
         goto error;