ipa-kdb: protect against context corruption

Early in startup LDAP server might not respond well yet and
should_support_pac_tkt_sign() will bail out with
KRB5_KDB_SERVER_INTERNAL_ERR. We should postpone this call but for time
being we should prevent a crash.

Crash happens because init_module() returns with an error and KDC then
calls fini_module() which will free the DB context which is already
corrupted for some reason.

Do not call any free() call because the whole context is corrupted as
tests do show.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Julien Rische <jrische@redhat.com>
This commit is contained in:
Alexander Bokovoy 2023-05-24 20:06:55 +03:00 committed by Florence Blanc-Renaud
parent e00f457f75
commit 4ef8258d58

View File

@ -49,6 +49,11 @@ static void ipadb_context_free(krb5_context kcontext,
size_t c;
if (*ctx != NULL) {
if ((*ctx)->magic != IPA_CONTEXT_MAGIC) {
krb5_klog_syslog(LOG_ERR, "IPA context is corrupted");
*ctx = NULL;
return;
}
free((*ctx)->uri);
free((*ctx)->base);
free((*ctx)->realm_base);