From: Volker Lendecke <vl@samba.org>
Date: Wed, 4 Dec 2024 13:03:12 +0000 (+0100)
Subject: lib: Fix Coverity ID 1636566 Untrusted loop bound
X-Git-Tag: tdb-1.4.13~310
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=253e5f4a68939516d249e4f9e33c931226b828cf;p=thirdparty%2Fsamba.git

lib: Fix Coverity ID 1636566 Untrusted loop bound

Sanitize num_auths to [0,15] in sid_copy()

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>
---

diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index 0942b2fe259..31f3ad161eb 100644
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -323,16 +323,17 @@ bool sid_peek_check_rid(const struct dom_sid *exp_dom_sid, const struct dom_sid
 
 void sid_copy(struct dom_sid *dst, const struct dom_sid *src)
 {
-	int i;
+	const int8_t num_auths = MIN(15, MAX(0, src->num_auths));
+	int8_t i;
 
 	*dst = (struct dom_sid) {
 		.sid_rev_num = src->sid_rev_num,
-		.num_auths = src->num_auths,
+		.num_auths = num_auths,
 	};
 
 	memcpy(&dst->id_auth[0], &src->id_auth[0], sizeof(src->id_auth));
 
-	for (i = 0; i < src->num_auths; i++)
+	for (i = 0; i < num_auths; i++)
 		dst->sub_auths[i] = src->sub_auths[i];
 }