#1684 Dereference after null check in sss_idmap_sid_to_unix
Closed: Fixed None Opened 6 years ago by mzidek.

We could return error code if NULL is passed to this function.

enum idmap_error_code sss_idmap_sid_to_unix(struct sss_idmap_ctx *ctx,
293                                            const char *sid,
294                                            uint32_t *id)
295{
296    struct idmap_domain_info *idmap_domain_info;
297    size_t dom_len;
298    long long rid;
299    char *endptr;
300
301    CHECK_IDMAP_CTX(ctx, IDMAP_CONTEXT_INVALID);
302
303    idmap_domain_info = ctx->idmap_domain_info;
304
At conditional (1): "sid" taking the false branch.
CID 13117: Dereference after null check (FORWARD_NULL)Comparing "sid" to null implies that "sid" might be null.
305    if (sid && sss_idmap_sid_is_builtin(sid)) {
306        return IDMAP_BUILTIN_SID;
307    }
308
At conditional (2): "idmap_domain_info != NULL" taking the true branch.
309    while (idmap_domain_info != NULL) {
310        dom_len = strlen(idmap_domain_info->sid);
Passing null variable "sid" to function "strlen", which dereferences it. (The dereference is assumed on the basis of the 'nonnull' parameter attribute.)
311        if (strlen(sid) > dom_len && sid[dom_len] == '-' &&

Fields changed

owner: somebody => mzidek
status: new => assigned

milestone: NEEDS_TRIAGE => SSSD 1.9.3
resolution: => fixed
status: assigned => closed

Found by Coverity. Nothing to test in RHEL.

rhbz: => 0

Metadata Update from @mzidek:
- Issue assigned to mzidek
- Issue set to the milestone: SSSD 1.9.3

2 years ago

Login to comment on this ticket.

Metadata