diff options
-rw-r--r-- | source4/kdc/hdb-ldb.c | 40 |
1 files changed, 24 insertions, 16 deletions
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c index ceffad7ef7..7cb02b8224 100644 --- a/source4/kdc/hdb-ldb.c +++ b/source4/kdc/hdb-ldb.c @@ -384,24 +384,32 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, ldb_keys = ldb_msg_find_element(msg, "krb5Key"); - /* allocate space to decode into */ - entry_ex->entry.keys.val = calloc(ldb_keys->num_values, sizeof(Key)); - if (entry_ex->entry.keys.val == NULL) { - ret = ENOMEM; - goto out; - } - entry_ex->entry.keys.len = ldb_keys->num_values; - - /* Decode Kerberos keys into the hdb structure */ - for (i=0; i < entry_ex->entry.keys.len; i++) { - size_t decode_len; - ret = decode_Key(ldb_keys->values[i].data, ldb_keys->values[i].length, - &entry_ex->entry.keys.val[i], &decode_len); - if (ret) { - /* Could be bougus data in the entry, or out of memory */ + if (!ldb_keys) { + /* oh, no password. Apparently (comment in + * hdb-ldap.c) this violates the ASN.1, but this + * allows an entry with no keys (yet). */ + entry_ex->entry.keys.val = NULL; + entry_ex->entry.keys.len = 0; + } else { + /* allocate space to decode into */ + entry_ex->entry.keys.val = calloc(ldb_keys->num_values, sizeof(Key)); + if (entry_ex->entry.keys.val == NULL) { + ret = ENOMEM; goto out; } - } + entry_ex->entry.keys.len = ldb_keys->num_values; + + /* Decode Kerberos keys into the hdb structure */ + for (i=0; i < entry_ex->entry.keys.len; i++) { + size_t decode_len; + ret = decode_Key(ldb_keys->values[i].data, ldb_keys->values[i].length, + &entry_ex->entry.keys.val[i], &decode_len); + if (ret) { + /* Could be bougus data in the entry, or out of memory */ + goto out; + } + } + } entry_ex->entry.etypes = malloc(sizeof(*(entry_ex->entry.etypes))); if (entry_ex->entry.etypes == NULL) { |