From 64e5041008744362fdbb16e16bc3e049a2d426aa Mon Sep 17 00:00:00 2001 From: John Spray Date: Tue, 21 Jul 2015 16:09:32 +0100 Subject: [PATCH] auth: check return value of keyring->get_secret get_secret can fail to populate the passed CryptoKey, for example if the entity name is not found in the keyring. In this case, attempts to use the CryptoKey will lead to segfaults. Fixes: #12417 Signed-off-by: John Spray --- src/auth/cephx/CephxClientHandler.cc | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/src/auth/cephx/CephxClientHandler.cc b/src/auth/cephx/CephxClientHandler.cc index b6d3501ecd5..ff32a425757 100644 --- a/src/auth/cephx/CephxClientHandler.cc +++ b/src/auth/cephx/CephxClientHandler.cc @@ -40,7 +40,11 @@ int CephxClientHandler::build_request(bufferlist& bl) const ::encode(header, bl); CryptoKey secret; - keyring->get_secret(cct->_conf->name, secret); + const bool got = keyring->get_secret(cct->_conf->name, secret); + if (!got) { + ldout(cct, 20) << "no secret found for entity: " << cct->_conf->name << dendl; + return -ENOENT; + } CephXAuthenticate req; get_random_bytes((char *)&req.client_challenge, sizeof(req.client_challenge)); @@ -113,7 +117,11 @@ int CephxClientHandler::handle_response(int ret, bufferlist::iterator& indata) { ldout(cct, 10) << " get_auth_session_key" << dendl; CryptoKey secret; - keyring->get_secret(cct->_conf->name, secret); + const bool got = keyring->get_secret(cct->_conf->name, secret); + if (!got) { + ldout(cct, 0) << "key not found for " << cct->_conf->name << dendl; + return -ENOENT; + } if (!tickets.verify_service_ticket_reply(secret, indata)) { ldout(cct, 0) << "could not verify service_ticket reply" << dendl; @@ -150,7 +158,11 @@ int CephxClientHandler::handle_response(int ret, bufferlist::iterator& indata) if (rotating_secrets) { RotatingSecrets secrets; CryptoKey secret_key; - keyring->get_secret(cct->_conf->name, secret_key); + const bool got = keyring->get_secret(cct->_conf->name, secret_key); + if (!got) { + ldout(cct, 0) << "key not found for " << cct->_conf->name << dendl; + return -ENOENT; + } std::string error; if (decode_decrypt(cct, secrets, secret_key, indata, error)) { ldout(cct, 0) << "could not set rotating key: decode_decrypt failed. error:"