From 2f41018df804e76e4893b58611af6fde5859724c Mon Sep 17 00:00:00 2001
From: Jeff Mitchell <jeffrey.mitchell@gmail.com>
Date: Mon, 22 Jul 2019 12:27:28 -0400
Subject: [PATCH] Fix panic when logging in to userpass without a valid user
 (#7160)

---
 builtin/credential/userpass/path_login.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/builtin/credential/userpass/path_login.go b/builtin/credential/userpass/path_login.go
index 1a81a70f6..865d5a080 100644
--- a/builtin/credential/userpass/path_login.go
+++ b/builtin/credential/userpass/path_login.go
@@ -64,11 +64,6 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 	// Get the user and validate auth
 	user, userError := b.user(ctx, req.Storage, username)
 
-	// Check for a CIDR match.
-	if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, user.TokenBoundCIDRs) {
-		return nil, logical.ErrPermissionDenied
-	}
-
 	var userPassword []byte
 	var legacyPassword bool
 	// If there was an error or it's nil, we fake a password for the bcrypt
@@ -108,6 +103,11 @@ func (b *backend) pathLogin(ctx context.Context, req *logical.Request, d *framew
 		return logical.ErrorResponse("invalid username or password"), nil
 	}
 
+	// Check for a CIDR match.
+	if !cidrutil.RemoteAddrIsOk(req.Connection.RemoteAddr, user.TokenBoundCIDRs) {
+		return nil, logical.ErrPermissionDenied
+	}
+
 	auth := &logical.Auth{
 		Metadata: map[string]string{
 			"username": username,