From da5d7beb6bc37b3c932e89f1189f16a7f5e93d53 Mon Sep 17 00:00:00 2001
From: Benjamin Dauvergne <bdauvergne@entrouvert.com>
Date: Wed, 27 Jun 2018 19:27:33 +0200
Subject: [PATCH] tools: fix segfault in lasso_get_saml_message (fixes #24830)

We reuse the "message" local variable but we should not.
Also fix a segfault in lasso_xmltextreader_from_message() when getting
the length of "message" before checking if it is NULL or not.
---
 lasso/xml/tools.c   | 7 ++++---
 tests/basic_tests.c | 8 +++++++-
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
index 93e80298..6a9ce187 100644
--- a/lasso/xml/tools.c
+++ b/lasso/xml/tools.c
@@ -3056,6 +3056,7 @@ lasso_get_saml_message(xmlChar **query_fields) {
 	int i = 0;
 	char *enc = NULL;
 	char *message = NULL;
+	char *saml_message = NULL;
 	char *decoded_message = NULL;
 	xmlChar *field = NULL;
 	char *t = NULL;
@@ -3096,12 +3097,12 @@ lasso_get_saml_message(xmlChar **query_fields) {
 		goto cleanup;
 	}
 	/* rc contains the length of the result */
-	message = (char*)lasso_inflate((unsigned char*) decoded_message, rc);
+	saml_message = (char*)lasso_inflate((unsigned char*) decoded_message, rc);
 cleanup:
 	if (decoded_message) {
 		lasso_release(decoded_message);
 	}
-	return message;
+	return saml_message;
 }
 
 /**
@@ -3126,10 +3127,10 @@ lasso_xmltextreader_from_message(const char *message, char **to_free) {
 		if (needle && message[len-1] != '=') {
 			query_fields = lasso_urlencoded_to_strings(message);
 			message = *to_free = lasso_get_saml_message(query_fields);
-			len = strlen(message);
 			if (! message) {
 				goto cleanup;
 			}
+			len = strlen(message);
 		} else { /* POST */
 			int rc = 0;
 
diff --git a/tests/basic_tests.c b/tests/basic_tests.c
index 398d7897..c08cab69 100644
--- a/tests/basic_tests.c
+++ b/tests/basic_tests.c
@@ -2082,7 +2082,7 @@ START_TEST(test15_ds_key_info)
 }
 END_TEST
 
-/* test load federation */
+/* test get issuer */
 START_TEST(test16_test_get_issuer)
 {
 	char *content = NULL;
@@ -2169,6 +2169,12 @@ START_TEST(test16_test_get_issuer)
 	lasso_release_gobject(spLoginContext);
 	lasso_release_gobject(spServerContext);
 
+	begin_check_do_log("Lasso", G_LOG_LEVEL_DEBUG, "could not decode POST SAML message", TRUE);
+	check_null(lasso_profile_get_issuer(""));
+	end_check_do_log("Lasso");
+	begin_check_do_log("Lasso", G_LOG_LEVEL_DEBUG, "message is not base64", TRUE);
+	check_null(lasso_profile_get_issuer("SAMLRequest=!!hello!!"));
+	end_check_do_log("Lasso");
 }
 END_TEST
 
-- 
2.18.0