#1861 potential out-of-bounds-write in sss_idmap_sid_to_dom_sid
Closed: Fixed None Opened 7 years ago by jhrozek.

Found by Coverity:

291    do {

20. Condition "dom_sid->num_auths > 15", taking false branch

21. cond_at_most: Checking "dom_sid->num_auths > 15" implies that the value of "dom_sid->num_auths" may be up to 15 on the false branch.
292        if (dom_sid->num_auths > SID_SUB_AUTHS) {
293            err = IDMAP_SID_INVALID;
294            goto done;
295        }
296
297        r++;

22. Condition "!(*__ctype_b_loc()[(int)*r] & 2048 /* (unsigned short)_ISdigit */)", taking false branch
298        if (!isdigit(*r)) {
299            err = IDMAP_SID_INVALID;
300            goto done;
301        }
302
303        errno = 0;
304        ul = strtoul(r, &end, 10);

23. Condition "*__errno_location() != 0", taking false branch

24. Condition "ul > 4294967295U", taking false branch

25. Condition "end == NULL", taking false branch

26. Condition "*end != 0", taking true branch

27. Condition "*end != '-'", taking false branch
305        if (errno != 0 || ul > UINT32_MAX || end == NULL ||
306            (*end != '\0' && *end != '-')) {
307            err = IDMAP_SID_INVALID;
308            goto done;
309        }
310

CID 10028 (#1 of 1): Out-of-bounds write (OVERRUN)28. overrun-local: Overrunning array "dom_sid->sub_auths" of 15 4-byte elements at element index 15 (byte offset 60) using index "dom_sid->num_auths++" (which evaluates to 15).
311        dom_sid->sub_auths[dom_sid->num_auths++] = ul;

Fields changed

owner: somebody => jhrozek
patch: 0 => 1
status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10.0
rhbz: => 0

Fields changed

milestone: SSSD 1.10.0 => SSSD 1.10 beta

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.10 beta

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2903

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata