From 7ab1e01d75eb5776cbc384d677dc3530024d108e Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Thu, 12 Mar 2015 21:42:48 -0400 Subject: [PATCH] kadmin: add_enctype check for bogus keys If kadmind returned bogus keys it means that the user lacks the get-keys permission. Generate a warning and exit. Also use calloc() to allocate the new_key_data. Change-Id: I21b697e2ff5adf753b1cfe698877b3f593bbea9e --- kadmin/add_enctype.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/kadmin/add_enctype.c b/kadmin/add_enctype.c index 78b791c2e..0ababf4f1 100644 --- a/kadmin/add_enctype.c +++ b/kadmin/add_enctype.c @@ -82,13 +82,19 @@ add_enctype(struct add_enctype_options*opt, int argc, char **argv) ret = kadm5_get_principal(kadm_handle, princ_ent, &princ, KADM5_KVNO | KADM5_PRINCIPAL | KADM5_KEY_DATA); if (ret) { - krb5_free_principal (context, princ_ent); - krb5_warnx (context, "no such principal: %s", princ_name); + krb5_free_principal(context, princ_ent); + krb5_warnx(context, "no such principal: %s", princ_name); goto out2; } - new_key_data = malloc((princ.n_key_data + n_etypes) - * sizeof(*new_key_data)); + /* Check that we got key data */ + if (kadm5_all_keys_are_bogus(princ.n_key_data, princ.key_data)) { + krb5_warnx(context, "user lacks get-keys privilege"); + goto out; + } + + new_key_data = calloc(princ.n_key_data + n_etypes, + sizeof(*new_key_data)); if (new_key_data == NULL) { krb5_warnx (context, "out of memory"); goto out;