From 42e2a33ada511bd1b52df71d763bf1156355d332 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Wed, 9 Apr 2025 20:22:15 -0400
Subject: [PATCH] Fix conditional in kadm5_chpass_principal_3()

Ensure that kadm5_chpass_principal_3() does not reference pol or hist
when the principal has a policy reference but the policy does not
exist.  (Both structures are zeroed in this case, so the resulting
checks are pointless but have defined and harmless behavior.)
---
 src/lib/kadm5/srv/svr_principal.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 1557937f22..8f381882d1 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -1304,9 +1304,7 @@ kadm5_chpass_principal_3(void *server_handle,
         goto done;
 
     kdb->pw_expiration = 0;
-    if ((adb.aux_attributes & KADM5_POLICY)) {
-        /* the policy was loaded before */
-
+    if (have_pol) {
         ret = check_pw_reuse(handle->context, hist_keyblocks,
                              kdb->n_key_data, kdb->key_data,
                              1, &hist);
-- 
2.47.2