From 58b7cafc28dc86c4afae485b139927630c58bdc4 Mon Sep 17 00:00:00 2001 From: Michal Privoznik Date: Mon, 27 Mar 2023 10:51:44 +0200 Subject: [PATCH] virauth: Report error on empty auth result When opening a connection, it may be necessary to provide user credentials, or some additional info (e.g. whether to trust an ssh key). We have a special API for that: virConnectOpenAuth() where and additional callback can be passed. This callback is then called with _virConnectCredential struct filled partially and it's callback's responsibility to get desired data (e.g. by prompting user) and store it into .result member of the struct. But we document the callback behaviour as: When authentication requires one or more interactions, this callback is invoked. For each interaction supplied, data must be gathered from the user and filled in to the 'result' and 'resultlen' fields. If an interaction cannot be filled, fill in NULL and 0. Returns 0 if all interactions were filled, or -1 upon error But there are some buggy callbacks out there, which set: .result = NULL; .resultlen = 0; and return 0. Report an error when such buggy callback is met. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2181235 Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- src/util/virauth.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/util/virauth.c b/src/util/virauth.c index d6917bde9f..bd676858ce 100644 --- a/src/util/virauth.c +++ b/src/util/virauth.c @@ -176,7 +176,8 @@ virAuthGetUsernamePath(const char *path, cred.result = NULL; cred.resultlen = 0; - if ((*(auth->cb))(&cred, 1, auth->cbdata) < 0) { + if ((*(auth->cb))(&cred, 1, auth->cbdata) < 0 || + !cred.result) { virReportError(VIR_ERR_AUTH_FAILED, "%s", _("Username request failed")); VIR_FREE(cred.result); @@ -310,7 +311,8 @@ virAuthAskCredential(virConnectAuthPtr auth, ret->prompt = prompt; - if (auth->cb(ret, 1, auth->cbdata) < 0) { + if (auth->cb(ret, 1, auth->cbdata) < 0 || + !ret->result) { virReportError(VIR_ERR_OPERATION_FAILED, "%s", _("failed to retrieve user response for authentication callback")); return NULL;