From 7c913edc84e0201020b5ab770dd0823911387781 Mon Sep 17 00:00:00 2001 From: Alexey Tikhonov Date: Wed, 22 May 2024 20:19:05 +0200 Subject: [PATCH] CLIENT:idmap: fix coverity warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes following issue: ``` "Error: INTEGER_OVERFLOW (CWE-190): sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:306:5: tainted_data_argument: The value returned in ""replen"" is considered tainted. sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:331:5: overflow: The expression ""replen - 12UL"" might be negative, but is used in a context that treats it as unsigned. sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:331:5: assign: Assigning: ""data_len"" = ""replen - 12UL"". sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:347:9: overflow: The expression ""1UL * data_len"" is deemed underflowed because at least one of its arguments has underflowed. sssd-2.10.0/src/sss_client/idmap/sss_nss_idmap.c:347:9: overflow_sink: ""1UL * data_len"", which might have underflowed, is passed to ""malloc(1UL * data_len)"". # 345| } # 346| # 347|-> str = malloc(sizeof(char) * data_len); # 348| if (str == NULL) { # 349| ret = ENOMEM;" ``` Reviewed-by: Alejandro López Reference: https://github.com/SSSD/sssd/commit/7c913edc84e0201020b5ab770dd0823911387781 Conflict: NA --- src/sss_client/idmap/sss_nss_idmap.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/sss_client/idmap/sss_nss_idmap.c b/src/sss_client/idmap/sss_nss_idmap.c index 575d03057..604933c6d 100644 --- a/src/sss_client/idmap/sss_nss_idmap.c +++ b/src/sss_client/idmap/sss_nss_idmap.c @@ -324,6 +324,11 @@ static int sss_nss_getyyybyxxx(union input inp, enum sss_cli_command cmd, goto done; } + if (replen < DATA_START) { /* make sure 'type' is present */ + ret = EBADMSG; + goto done; + } + /* Skip first two 32 bit values (number of results and * reserved padding) */ SAFEALIGN_COPY_UINT32(&out->type, repbuf + 2 * sizeof(uint32_t), NULL); -- 2.33.0