From 831a5f9db3ae2480de74fb051a1beadb2994fbc5 Mon Sep 17 00:00:00 2001
From: Nicolas Williams <nico@twosigma.com>
Date: Sat, 30 Oct 2021 00:40:32 -0500
Subject: [PATCH] hdb: Fix crash when expected KR is missing

---
 lib/hdb/common.c | 2 ++
 lib/hdb/hdb.c    | 3 +++
 2 files changed, 5 insertions(+)

diff --git a/lib/hdb/common.c b/lib/hdb/common.c
index e05921e2f..5100fdb7c 100644
--- a/lib/hdb/common.c
+++ b/lib/hdb/common.c
@@ -995,6 +995,8 @@ derive_keys(krb5_context context,
 
         /* Installing keys invalidates `ckr', so we copy it */
         ret = hdb_entry_get_key_rotation(context, &h->entry, &ckr);
+        if (!ckr)
+            return ret;
         if (ret == 0)
             ret = copy_HDB_Ext_KeyRotation(ckr, &kr);
     }
diff --git a/lib/hdb/hdb.c b/lib/hdb/hdb.c
index bb9b34640..3978048ad 100644
--- a/lib/hdb/hdb.c
+++ b/lib/hdb/hdb.c
@@ -246,6 +246,9 @@ hdb_remove_base_keys(krb5_context context,
     size_t i, k;
 
     ret = hdb_entry_get_key_rotation(context, e, &ckr);
+    if (!ckr)
+        return 0;
+
     if (ret == 0) {
         /*
          * Changing the entry's extensions invalidates extensions obtained