From d29527b4e13abfb2600da705224402db458f58d7 Mon Sep 17 00:00:00 2001
From: Avi Kivity <avi@scylladb.com>
Date: Mon, 11 Feb 2019 19:38:20 +0200
Subject: [PATCH] auth: password_authenticator: protect against NULL
 salted_hash

In case salted_hash was NULL, we'd access uninitialized memory when dereferencing
the optional in get_as<>().

Protect against that by using get_opt() and failing authentication if we see a NULL.

Fixes #4168.

Tests: unit (release)
Branches: 3.0, 2.3
Message-Id: <20190211173820.8053-1-avi@scylladb.com>
(cherry picked from commit da9628c6dcc5b5660342ef9f56611a7845e0aab8)
---
 auth/password_authenticator.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/auth/password_authenticator.cc b/auth/password_authenticator.cc
index a53ddc401d..47ae0df1dd 100644
--- a/auth/password_authenticator.cc
+++ b/auth/password_authenticator.cc
@@ -317,7 +317,11 @@ future<authenticated_user> password_authenticator::authenticate(
     }).then_wrapped([=](future<::shared_ptr<cql3::untyped_result_set>> f) {
         try {
             auto res = f.get0();
-            if (res->empty() || !checkpw(password, res->one().get_as<sstring>(SALTED_HASH))) {
+            auto salted_hash = std::experimental::optional<sstring>();
+            if (!res->empty()) {
+                salted_hash = res->one().get_opt<sstring>(SALTED_HASH);
+            }
+            if (!salted_hash || !checkpw(password, *salted_hash)) {
                 throw exceptions::authentication_exception("Username and/or password are incorrect");
             }
             return make_ready_future<authenticated_user>(username);