From: Marco Bettini <marco.bettini@open-xchange.com>
Date: Mon, 12 Jun 2023 10:01:36 +0000 (+0000)
Subject: login-common: sasl authenticate_callback() - Fix null pointer dereferencing
X-Git-Tag: 2.4.0~2691
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=daf13a667a25d5294540b9d053491da8e1e22c8f;p=thirdparty%2Fdovecot%2Fcore.git

login-common: sasl authenticate_callback() - Fix null pointer dereferencing

Broken by e9c008893f963248d522173180734f0e8a4cced8
Found by coverity

The checking for "resp" in AUTH_REQUEST_STATUS_OK has been currently removed,
since we have no SASL mechanisms requiring it. Besides, it was only partially
implemented and didn't actually work.
---

diff --git a/src/login-common/client-common.h b/src/login-common/client-common.h
index 480d204305..e910c8a4c1 100644
--- a/src/login-common/client-common.h
+++ b/src/login-common/client-common.h
@@ -205,7 +205,6 @@ struct client {
 	struct auth_client_request *reauth_request;
 	string_t *auth_response;
 	struct timeval auth_first_started, auth_finished;
-	const char *sasl_final_delayed_resp;
 	enum sasl_server_reply delayed_final_reply;
 	const char *const *final_args;
 	const char *const *auth_passdb_args;
diff --git a/src/login-common/sasl-server.c b/src/login-common/sasl-server.c
index 21efdff198..6920b603f2 100644
--- a/src/login-common/sasl-server.c
+++ b/src/login-common/sasl-server.c
@@ -371,9 +371,6 @@ authenticate_callback(struct auth_client_request *request,
 				client->auth_anonymous = TRUE;
 			} else if (str_begins(args[i], "event_", &key)) {
 				event_add_str(client->event_auth, key, value);
-			} else if (strcmp(key, "resp") == 0) {
-				client->sasl_final_delayed_resp =
-					p_strdup(client->pool, value);
 			}
 		}
 
@@ -394,6 +391,7 @@ authenticate_callback(struct auth_client_request *request,
 	case AUTH_REQUEST_STATUS_ABORT:
 		client->auth_request = NULL;
 
+		const char *sasl_final_delayed_resp = NULL;
 		if (args != NULL) {
 			/* parse our username if it's there */
 			for (i = 0; args[i] != NULL; i++) {
@@ -402,19 +400,19 @@ authenticate_callback(struct auth_client_request *request,
 				if (args_parse_user(client, key, value))
 					continue;
 				if (strcmp(key, "resp") == 0) {
-					client->sasl_final_delayed_resp =
+					sasl_final_delayed_resp =
 						p_strdup(client->preproxy_pool, value);
 				}
 			}
 		}
 
-		if (client->sasl_final_delayed_resp != NULL &&
+		if (sasl_final_delayed_resp != NULL &&
 		    !login_binary->sasl_support_final_reply) {
 			client->final_response = TRUE;
 			client->final_args = p_strarray_dup(client->preproxy_pool, args);
 			client->delayed_final_reply = SASL_SERVER_REPLY_AUTH_FAILED;
 			client->sasl_callback(client, SASL_SERVER_REPLY_CONTINUE,
-					      client->sasl_final_delayed_resp, NULL);
+					      sasl_final_delayed_resp, NULL);
 		} else {
 			client->authenticating = FALSE;
 			call_client_callback(client, SASL_SERVER_REPLY_AUTH_FAILED,