Fix crash in acquiring credentials

When a credential store is provided, but no name is provided, we end up
crashing by dereferencing the name.

Allow the request to proceed without a name, as it may be selected out
of a credential file, but if none was found, return an error.

Signed-off-by: Simo Sorce <[email protected]>

Author: simo5

src/gss_creds.c

@@ -161,9 +161,11 @@ static int get_user_file_creds(const char *filename,
     cred->type = GSSNTLM_CRED_USER;
     cred->cred.user.user.type = GSSNTLM_NAME_USER;
     if (dom) {
+        free(cred->cred.user.user.data.user.domain);
         cred->cred.user.user.data.user.domain = strdup(dom);
         if (!cred->cred.user.user.data.user.domain) return ENOMEM;
     }
+    free(cred->cred.user.user.data.user.name);
     cred->cred.user.user.data.user.name = strdup(usr);
     if (!cred->cred.user.user.data.user.name) return ENOMEM;
 
@@ -235,52 +237,51 @@ static int get_creds_from_store(struct gssntlm_name *name,
     uint32_t i;
     int ret;
 
-    /* special case to let server creds carry a keyfile */
-    if (name->type == GSSNTLM_NAME_SERVER) {
-        const char *keyfile = NULL;
-        cred->type = GSSNTLM_CRED_SERVER;
-        ret = gssntlm_copy_name(name, &cred->cred.server.name);
-        if (ret) return ret;
-        for (i = 0; i < cred_store->count; i++) {
-            if (strcmp(cred_store->elements[i].key,
-                        GSS_NTLMSSP_CS_KEYFILE) == 0) {
-                keyfile = cred_store->elements[i].value;
+    if (name) {
+        /* special case to let server creds carry a keyfile */
+        if (name->type == GSSNTLM_NAME_SERVER) {
+            const char *keyfile = NULL;
+            cred->type = GSSNTLM_CRED_SERVER;
+            ret = gssntlm_copy_name(name, &cred->cred.server.name);
+            if (ret) return ret;
+            for (i = 0; i < cred_store->count; i++) {
+                if (strcmp(cred_store->elements[i].key,
+                            GSS_NTLMSSP_CS_KEYFILE) == 0) {
+                    keyfile = cred_store->elements[i].value;
+                }
             }
-        }
-        if (keyfile) {
-            cred->cred.server.keyfile = strdup(keyfile);
-            if (cred->cred.server.keyfile == NULL) {
-                return errno;
+            if (keyfile) {
+                cred->cred.server.keyfile = strdup(keyfile);
+                if (cred->cred.server.keyfile == NULL) {
+                    return errno;
+                }
             }
+            return 0;
         }
-        return 0;
+
+        if (name->type != GSSNTLM_NAME_USER) return ENOENT;
+
+        ret = gssntlm_copy_name(name, &cred->cred.user.user);
+        if (ret) return ret;
     }
 
     /* so far only user options can be defined in the cred_store */
-    if (name->type != GSSNTLM_NAME_USER) return ENOENT;
-
     cred->type = GSSNTLM_CRED_USER;
-    ret = gssntlm_copy_name(name, &cred->cred.user.user);
-    if (ret) return ret;
 
     for (i = 0; i < cred_store->count; i++) {
         if (strcmp(cred_store->elements[i].key, GSS_NTLMSSP_CS_DOMAIN) == 0) {
-            /* ignore duplicates */
-            if (cred->cred.user.user.data.user.domain) continue;
+            free(cred->cred.user.user.data.user.domain);
             cred->cred.user.user.data.user.domain =
                                     strdup(cred_store->elements[i].value);
             if (!cred->cred.user.user.data.user.domain) return ENOMEM;
         }
         if (strcmp(cred_store->elements[i].key, GSS_NTLMSSP_CS_NTHASH) == 0) {
-            /* ignore duplicates */
-            if (cred->cred.user.nt_hash.length) continue;
             ret = hex_to_key(cred_store->elements[i].value,
                              &cred->cred.user.nt_hash);
             if (ret) return ret;
         }
         if ((strcmp(cred_store->elements[i].key, GSS_NTLMSSP_CS_PASSWORD) == 0) ||
             (strcmp(cred_store->elements[i].key, GENERIC_CS_PASSWORD) == 0)) {
-            if (cred->cred.user.nt_hash.length) continue;
             cred->cred.user.nt_hash.length = 16;
             ret = NTOWFv1(cred_store->elements[i].value,
                           &cred->cred.user.nt_hash);
@@ -301,6 +302,9 @@ static int get_creds_from_store(struct gssntlm_name *name,
         }
     }
 
+    /* now check if a user name was found, if not error out */
+    if (cred->cred.user.user.data.user.name == NULL) return ENOENT;
+
     return 0;
 }
 

tests/ntlmssptest.c

@@ -2655,6 +2655,38 @@ int test_NTOWF_UTF16(struct ntlm_ctx *ctx)
     return test_keys("results", &expected, &result);
 }
 
+int test_ACQ_NO_NAME(void)
+{
+    gss_cred_id_t cli_cred = GSS_C_NO_CREDENTIAL;
+    gss_key_value_element_desc cred_file = {
+        .key = GSS_NTLMSSP_CS_KEYFILE,
+        .value = TEST_USER_FILE
+    };
+    gss_key_value_set_desc cred_store = {
+        .elements = &cred_file,
+        .count = 1
+    };
+    uint32_t retmin, retmaj;
+    int ret;
+
+    retmaj = gssntlm_acquire_cred_from(&retmin, GSS_C_NO_NAME,
+                                       GSS_C_INDEFINITE, GSS_C_NO_OID_SET,
+                                       GSS_C_INITIATE, &cred_store,
+                                       &cli_cred, NULL, NULL);
+    if (retmaj != GSS_S_COMPLETE) {
+        print_gss_error("gssntlm_acquire_cred_from(cred_store) failed!",
+                        retmaj, retmin);
+        ret = EINVAL;
+        goto done;
+    }
+
+    ret = 0;
+
+done:
+    gssntlm_release_cred(&retmin, &cli_cred);
+    return ret;
+}
+
 int main(int argc, const char *argv[])
 {
     struct ntlm_ctx *ctx;
@@ -2883,11 +2915,16 @@ int main(int argc, const char *argv[])
     fprintf(stderr, "Test: %s\n", (ret ? "FAIL":"SUCCESS"));
     if (ret) gret++;
 
-    fprintf(stderr, "Test NTOWF iwith UTF16\n");
+    fprintf(stderr, "Test NTOWF with UTF16\n");
     ret = test_NTOWF_UTF16(ctx);
     fprintf(stderr, "Test: %s\n", (ret ? "FAIL":"SUCCESS"));
     if (ret) gret++;
 
+    fprintf(stderr, "Test Acquired cred from with no name\n");
+    ret = test_ACQ_NO_NAME();
+    fprintf(stderr, "Test: %s\n", (ret ? "FAIL":"SUCCESS"));
+    if (ret) gret++;
+
 done:
     ntlm_free_ctx(&ctx);
     return gret;