From 4ebb488e512dcaeb1aa1866dd40d2515f9c5da96 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Fri, 24 Nov 2023 17:59:24 +1300
Subject: [PATCH] libcli/security: don't allow two NULL string claims

This restores the behaviour with regard to duplicate NULL strings that
existed before the last commit. I'm putting it separately, because it
seems so strange, and I not entirely certain the behaviour is
intentional.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 libcli/security/claims-conversions.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/libcli/security/claims-conversions.c b/libcli/security/claims-conversions.c
index 9ae2aee7208..e73771e0e12 100644
--- a/libcli/security/claims-conversions.c
+++ b/libcli/security/claims-conversions.c
@@ -837,7 +837,7 @@ NTSTATUS token_claims_to_claims_v1(TALLOC_CTX *mem_ctx,
 			{
 				const struct CLAIM_STRING *values = &claim_entry->values.claim_string;
 				uint32_t k, m;
-
+				bool seen_empty = false;
 				n_values = values->value_count;
 				value_type = CLAIM_SECURITY_ATTRIBUTE_TYPE_STRING;
 
@@ -861,6 +861,21 @@ NTSTATUS token_claims_to_claims_v1(TALLOC_CTX *mem_ctx,
 						}
 						claim_values[m].string_value = string_value;
 						m++;
+					} else {
+						/*
+						 * We allow one NULL string
+						 * per claim, but not two,
+						 * because two would be a
+						 * duplicate, and we don't
+						 * want those (duplicates in
+						 * actual values are checked
+						 * later).
+						 */
+						if (seen_empty) {
+							talloc_free(claims);
+							return NT_STATUS_INVALID_PARAMETER;
+						}
+						seen_empty = true;
 					}
 				}
 				n_values = m;