From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 10 Apr 2025 00:22:15 +0000 (-0400)
Subject: Fix conditional in kadm5_chpass_principal_3()
X-Git-Tag: krb5-1.22-beta1~11
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1423%2Fhead;p=thirdparty%2Fkrb5.git

Fix conditional in kadm5_chpass_principal_3()

Ensure that kadm5_chpass_principal_3() does not reference pol or hist
when the principal has a policy reference but the policy does not
exist.  (Both structures are zeroed in this case, so the resulting
checks are pointless but have defined and harmless behavior.)
---

diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 1557937f22..8f381882d1 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -1304,9 +1304,7 @@ kadm5_chpass_principal_3(void *server_handle,
         goto done;
 
     kdb->pw_expiration = 0;
-    if ((adb.aux_attributes & KADM5_POLICY)) {
-        /* the policy was loaded before */
-
+    if (have_pol) {
         ret = check_pw_reuse(handle->context, hist_keyblocks,
                              kdb->n_key_data, kdb->key_data,
                              1, &hist);