krb5 commit: Fix OTP preauth crash with null prompter

Thu Oct 23 17:02:50 EDT 2025

https://github.com/krb5/krb5/commit/ca97bf697ab1561af1fbd12f5fd13466ec35a962
commit ca97bf697ab1561af1fbd12f5fd13466ec35a962
Author: Alexander Bokovoy <abokovoy at redhat.com>
Date:   Sun Oct 19 18:14:29 2025 +0300

    Fix OTP preauth crash with null prompter
    
    In doprompt(), check if the caller provided a prompter before
    dereferencing it.  Similar code returns either EIO or
    KRB5_LIBOS_CANTREADPWD; use EIO for this case as OTP preauth prompts
    for a PIN and not a Kerberos password.
    
    [ghudson at mit.edu: edited commit message]
    
    ticket: 9186 (new)

 src/lib/krb5/krb/preauth_otp.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c
index 07ffc15c2..48003da62 100644
--- a/src/lib/krb5/krb/preauth_otp.c
+++ b/src/lib/krb5/krb/preauth_otp.c
@@ -479,6 +479,9 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data,
     krb5_error_code retval;
     krb5_prompt_type prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
 
+    if (prompter == NULL)
+        return EIO;
+
     if (prompttxt == NULL || out == NULL)
         return EINVAL;
 
