#1861 potential out-of-bounds-write in sss_idmap_sid_to_dom_sid
Closed: Fixed None Opened 6 years ago by jhrozek.

Found by Coverity:

291    do {

20. Condition "dom_sid->num_auths > 15", taking false branch

21. cond_at_most: Checking "dom_sid->num_auths > 15" implies that the value of "dom_sid->num_auths" may be up to 15 on the false branch.
292        if (dom_sid->num_auths > SID_SUB_AUTHS) {
293            err = IDMAP_SID_INVALID;
294            goto done;
295        }
296
297        r++;

22. Condition "!(*__ctype_b_loc()[(int)*r] & 2048 /* (unsigned short)_ISdigit */)", taking false branch
298        if (!isdigit(*r)) {
299            err = IDMAP_SID_INVALID;
300            goto done;
301        }
302
303        errno = 0;
304        ul = strtoul(r, &end, 10);

23. Condition "*__errno_location() != 0", taking false branch

24. Condition "ul > 4294967295U", taking false branch

25. Condition "end == NULL", taking false branch

26. Condition "*end != 0", taking true branch

27. Condition "*end != '-'", taking false branch
305        if (errno != 0 || ul > UINT32_MAX || end == NULL ||
306            (*end != '\0' && *end != '-')) {
307            err = IDMAP_SID_INVALID;
308            goto done;
309        }
310

CID 10028 (#1 of 1): Out-of-bounds write (OVERRUN)28. overrun-local: Overrunning array "dom_sid->sub_auths" of 15 4-byte elements at element index 15 (byte offset 60) using index "dom_sid->num_auths++" (which evaluates to 15).
311        dom_sid->sub_auths[dom_sid->num_auths++] = ul;

Fields changed

owner: somebody => jhrozek
patch: 0 => 1
status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10.0
rhbz: => 0

Fields changed

milestone: SSSD 1.10.0 => SSSD 1.10 beta

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.10 beta

2 years ago

Login to comment on this ticket.

Metadata