From 253e5f4a68939516d249e4f9e33c931226b828cf Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Wed, 4 Dec 2024 14:03:12 +0100
Subject: [PATCH] lib: Fix Coverity ID 1636566 Untrusted loop bound
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Sanitize num_auths to [0,15] in sid_copy()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
---
 libcli/security/util_sid.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index 0942b2fe259..31f3ad161eb 100644
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -323,16 +323,17 @@ bool sid_peek_check_rid(const struct dom_sid *exp_dom_sid, const struct dom_sid
 
 void sid_copy(struct dom_sid *dst, const struct dom_sid *src)
 {
-	int i;
+	const int8_t num_auths = MIN(15, MAX(0, src->num_auths));
+	int8_t i;
 
 	*dst = (struct dom_sid) {
 		.sid_rev_num = src->sid_rev_num,
-		.num_auths = src->num_auths,
+		.num_auths = num_auths,
 	};
 
 	memcpy(&dst->id_auth[0], &src->id_auth[0], sizeof(src->id_auth));
 
-	for (i = 0; i < src->num_auths; i++)
+	for (i = 0; i < num_auths; i++)
 		dst->sub_auths[i] = src->sub_auths[i];
 }
 
-- 
2.47.3