From bc3d8992cd990f9b6a14fc4db48ef8d1a492f77f Mon Sep 17 00:00:00 2001
From: Russ Allbery <rra@stanford.edu>
Date: Thu, 14 Jan 2010 16:09:53 -0800
Subject: [PATCH] Don't attempt to load a password quality verifier from NULL

When kadm5_add_passwd_quality_verifier is called with a NULL
check_library parameter and [password_quality].policy_libraries
is set, the function calls add_verifier() for each string in the
policy_libraries section and then falls through to the non-NULL
case and calls add_verifier() a final time with a NULL argument.
This leads to dlopening the running executable and then failing
since it contains no password quality verifier.

If the check_library argument is NULL, only call add_verifier()
for the configured policy_libraries and do not fall through to
the non-NULL case.

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
---
 lib/kadm5/password_quality.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/kadm5/password_quality.c b/lib/kadm5/password_quality.c
index 045cf4792..577d5cf51 100644
--- a/lib/kadm5/password_quality.c
+++ b/lib/kadm5/password_quality.c
@@ -395,8 +395,10 @@ kadm5_add_passwd_quality_verifier(krb5_context context,
 		return ret;
 	    tmp++;
 	}
+	return 0;
+    } else {
+	return add_verifier(context, check_library);
     }
-    return add_verifier(context, check_library);
 #else
     return 0;
 #endif /* HAVE_DLOPEN */
-- 
2.11.4.GIT