URL:
https://github.com/SSSD/sssd/pull/814
Title: #814: certmap: allow missing KU in OpenSSL version
jhrozek commented:
"""
There are some coverity warnings:
```
Error: COMPILER_WARNING:
sssd-2.1.1/src/lib/certmap/sss_certmap.c: scope_hint: In function
'sss_cert_dump_content'
sssd-2.1.1/src/lib/certmap/sss_certmap.c:998:65: warning: format '%d' expects
argument of type 'int', but argument 3 has type 'size_t' {aka 'long
unsigned int'} [-Wformat=]
# out = talloc_asprintf_append(out, "Extended Key Usage #%d:
%s%s%s%s\n",
# ~^
# 996| for (o = 0; c->extended_key_usage_oids[o] != NULL; o++) {
# 997| eku_str = sss_eku_oid2name(c->extended_key_usage_oids[o]);
# 998|-> out = talloc_asprintf_append(out, "Extended Key Usage #%d:
%s%s%s%s\n",
# 999| o, c->extended_key_usage_oids[o],
# 1000| eku_str == NULL ? "" :
" (",
Error: OVERRUN (CWE-119):
sssd-2.1.1/src/lib/certmap/sss_certmap.c:1007: cond_at_most: Checking "s->san_opt
< SAN_END" implies that "s->san_opt" may be up to 12 on the true
branch.
sssd-2.1.1/src/lib/certmap/sss_certmap.c:1013: overrun-local: Overrunning array
"san_parsed_template" of 12 24-byte elements at element index 12 (byte offset
311) using index "s->san_opt" (which evaluates to 12).
# 1011| if (out == NULL) return ENOMEM;
# 1012|
# 1013|-> if (san_parsed_template[s->san_opt].name != NULL) {
# 1014| ret = expand_san(ctx, &san_parsed_template[s->san_opt],
c->san_list,
# 1015| &expanded);
Error: OVERRUN (CWE-119):
sssd-2.1.1/src/lib/certmap/sss_certmap.c:1007: cond_at_most: Checking "s->san_opt
< SAN_END" implies that "s->san_opt" may be up to 12 on the true
branch.
sssd-2.1.1/src/lib/certmap/sss_certmap.c:1014: overrun-local: Overrunning array of 288
bytes at byte offset 288 by dereferencing pointer
"&san_parsed_template[s->san_opt]".
# 1012|
# 1013| if (san_parsed_template[s->san_opt].name != NULL) {
# 1014|-> ret = expand_san(ctx, &san_parsed_template[s->san_opt],
c->san_list,
# 1015| &expanded);
# 1016| if (ret != EOK) {
Error: OVERRUN (CWE-119):
sssd-2.1.1/src/lib/certmap/sss_certmap.c:1007: cond_at_most: Checking "s->san_opt
< SAN_END" implies that "s->san_opt" may be up to 12 on the true
branch.
sssd-2.1.1/src/lib/certmap/sss_certmap.c:1019: overrun-local: Overrunning array
"san_parsed_template" of 12 24-byte elements at element index 12 (byte offset
311) using index "s->san_opt" (which evaluates to 12).
# 1017| return ret;
# 1018| }
# 1019|-> out = talloc_asprintf_append(out, " %s=%s\n\n",
# 1020|
san_parsed_template[s->san_opt].name,
# 1021| expanded);``
```
"""
See the full comment at
https://github.com/SSSD/sssd/pull/814#issuecomment-494385966