Issue #1861: potential out-of-bounds-write in sss_idmap_sid_to_dom_sid - sssd

SSSD / sssd

#1861 potential out-of-bounds-write in sss_idmap_sid_to_dom_sid

Closed: Fixed None Opened 11 years ago by jhrozek.

Found by Coverity:

291    do {

20. Condition "dom_sid->num_auths > 15", taking false branch

21. cond_at_most: Checking "dom_sid->num_auths > 15" implies that the value of "dom_sid->num_auths" may be up to 15 on the false branch.
292        if (dom_sid->num_auths > SID_SUB_AUTHS) {
293            err = IDMAP_SID_INVALID;
294            goto done;
295        }
296
297        r++;

22. Condition "!(*__ctype_b_loc()[(int)*r] & 2048 /* (unsigned short)_ISdigit */)", taking false branch
298        if (!isdigit(*r)) {
299            err = IDMAP_SID_INVALID;
300            goto done;
301        }
302
303        errno = 0;
304        ul = strtoul(r, &end, 10);

23. Condition "*__errno_location() != 0", taking false branch

24. Condition "ul > 4294967295U", taking false branch

25. Condition "end == NULL", taking false branch

26. Condition "*end != 0", taking true branch

27. Condition "*end != '-'", taking false branch
305        if (errno != 0 || ul > UINT32_MAX || end == NULL ||
306            (*end != '\0' && *end != '-')) {
307            err = IDMAP_SID_INVALID;
308            goto done;
309        }
310

CID 10028 (#1 of 1): Out-of-bounds write (OVERRUN)28. overrun-local: Overrunning array "dom_sid->sub_auths" of 15 4-byte elements at element index 15 (byte offset 60) using index "dom_sid->num_auths++" (which evaluates to 15).
311        dom_sid->sub_auths[dom_sid->num_auths++] = ul;

jhrozek commented 11 years ago

Fields changed

owner: somebody => jhrozek
patch: 0 => 1
status: new => assigned

dpal commented 11 years ago

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10.0
rhbz: => 0

dpal commented 11 years ago

Fields changed

milestone: SSSD 1.10.0 => SSSD 1.10 beta

lslebodn commented 11 years ago

master: 726e335

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.10 beta

7 years ago

pbrezina commented 3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2903

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

jhrozek

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

SSSD 1.10 beta

type

defect

component

SSSD

version

1.9.4

selected

None

testsupdated

patch

rhbz

design_review

review

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#1861 potential out-of-bounds-write in sss_idmap_sid_to_dom_sid Closed: Fixed None Opened 11 years ago by jhrozek.

Metadata

#1861 potential out-of-bounds-write in sss_idmap_sid_to_dom_sid

Closed: Fixed None Opened 11 years ago by jhrozek.