lib: Fix Coverity ID 1636566 Untrusted loop bound

Sanitize num_auths to [0,15] in sid_copy()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index 0942b2fe259d5ea6c4e6683649774e01f9023302..31f3ad161eb41a34d7e73c7e9097be3d64e5a175 100644 (file)
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -323,16 +323,17 @@ bool sid_peek_check_rid(const struct dom_sid *exp_dom_sid, const struct dom_sid
 
 void sid_copy(struct dom_sid *dst, const struct dom_sid *src)
 {
-       int i;
+       const int8_t num_auths = MIN(15, MAX(0, src->num_auths));
+       int8_t i;
 
        *dst = (struct dom_sid) {
                .sid_rev_num = src->sid_rev_num,
-               .num_auths = src->num_auths,
+               .num_auths = num_auths,
        };
 
        memcpy(&dst->id_auth[0], &src->id_auth[0], sizeof(src->id_auth));
 
-       for (i = 0; i < src->num_auths; i++)
+       for (i = 0; i < num_auths; i++)
                dst->sub_auths[i] = src->sub_auths[i];
 }