|
|
5ad689 |
From 27ef368b4105f19382360fe62f944b36ca74adb7 Mon Sep 17 00:00:00 2001
|
|
|
5ad689 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
5ad689 |
Date: Wed, 6 Sep 2017 12:20:25 +0200
|
|
|
5ad689 |
Subject: [PATCH 194/194] certmap: make sure eku_oid_list is always allocated
|
|
|
5ad689 |
MIME-Version: 1.0
|
|
|
5ad689 |
Content-Type: text/plain; charset=UTF-8
|
|
|
5ad689 |
Content-Transfer-Encoding: 8bit
|
|
|
5ad689 |
|
|
|
5ad689 |
If there are only OIDs in a <EKU> part of a matching rule a NULL pointer
|
|
|
5ad689 |
dereference might occur.
|
|
|
5ad689 |
|
|
|
5ad689 |
Related to https://pagure.io/SSSD/sssd/issue/3508
|
|
|
5ad689 |
|
|
|
5ad689 |
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
|
|
|
5ad689 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
5ad689 |
(cherry picked from commit f5a8cd60c6f377af1954b58f007d16cf3f6dc846)
|
|
|
5ad689 |
---
|
|
|
5ad689 |
src/lib/certmap/sss_certmap_krb5_match.c | 21 ++++++++++++---------
|
|
|
5ad689 |
src/tests/cmocka/test_certmap.c | 17 +++++++++++++++++
|
|
|
5ad689 |
2 files changed, 29 insertions(+), 9 deletions(-)
|
|
|
5ad689 |
|
|
|
5ad689 |
diff --git a/src/lib/certmap/sss_certmap_krb5_match.c b/src/lib/certmap/sss_certmap_krb5_match.c
|
|
|
5ad689 |
index e40f17b8ace46e61087e0a2fa570a362a84cead2..0a77ac225d73f3506e102fdbdc9084faa0f19cf0 100644
|
|
|
5ad689 |
--- a/src/lib/certmap/sss_certmap_krb5_match.c
|
|
|
5ad689 |
+++ b/src/lib/certmap/sss_certmap_krb5_match.c
|
|
|
5ad689 |
@@ -179,19 +179,17 @@ static int parse_krb5_get_eku_value(TALLOC_CTX *mem_ctx,
|
|
|
5ad689 |
goto done;
|
|
|
5ad689 |
}
|
|
|
5ad689 |
|
|
|
5ad689 |
+ comp->eku_oid_list = talloc_zero_array(comp, const char *,
|
|
|
5ad689 |
+ eku_list_size + 1);
|
|
|
5ad689 |
+ if (comp->eku_oid_list == NULL) {
|
|
|
5ad689 |
+ ret = ENOMEM;
|
|
|
5ad689 |
+ goto done;
|
|
|
5ad689 |
+ }
|
|
|
5ad689 |
+
|
|
|
5ad689 |
for (c = 0; eku_list[c] != NULL; c++) {
|
|
|
5ad689 |
for (k = 0; ext_key_usage[k].name != NULL; k++) {
|
|
|
5ad689 |
CM_DEBUG(ctx, "[%s][%s].", eku_list[c], ext_key_usage[k].name);
|
|
|
5ad689 |
if (strcasecmp(eku_list[c], ext_key_usage[k].name) == 0) {
|
|
|
5ad689 |
- if (comp->eku_oid_list == NULL) {
|
|
|
5ad689 |
- comp->eku_oid_list = talloc_zero_array(comp, const char *,
|
|
|
5ad689 |
- eku_list_size + 1);
|
|
|
5ad689 |
- if (comp->eku_oid_list == NULL) {
|
|
|
5ad689 |
- ret = ENOMEM;
|
|
|
5ad689 |
- goto done;
|
|
|
5ad689 |
- }
|
|
|
5ad689 |
- }
|
|
|
5ad689 |
-
|
|
|
5ad689 |
comp->eku_oid_list[e] = talloc_strdup(comp->eku_oid_list,
|
|
|
5ad689 |
ext_key_usage[k].oid);
|
|
|
5ad689 |
if (comp->eku_oid_list[e] == NULL) {
|
|
|
5ad689 |
@@ -225,6 +223,11 @@ CM_DEBUG(ctx, "[%s][%s].", eku_list[c], ext_key_usage[k].name);
|
|
|
5ad689 |
}
|
|
|
5ad689 |
}
|
|
|
5ad689 |
|
|
|
5ad689 |
+ if (e == 0) {
|
|
|
5ad689 |
+ talloc_free(comp->eku_oid_list);
|
|
|
5ad689 |
+ comp->eku_oid_list = NULL;
|
|
|
5ad689 |
+ }
|
|
|
5ad689 |
+
|
|
|
5ad689 |
ret = 0;
|
|
|
5ad689 |
|
|
|
5ad689 |
done:
|
|
|
5ad689 |
diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c
|
|
|
5ad689 |
index c998443d086eaa72cc2a05c38ddfc5ba590a1ce7..e732bb214476943d0f723b318ab64d3b4156cace 100644
|
|
|
5ad689 |
--- a/src/tests/cmocka/test_certmap.c
|
|
|
5ad689 |
+++ b/src/tests/cmocka/test_certmap.c
|
|
|
5ad689 |
@@ -445,6 +445,23 @@ static void test_sss_certmap_add_matching_rule(void **state)
|
|
|
5ad689 |
assert_null(
|
|
|
5ad689 |
ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list[3]);
|
|
|
5ad689 |
|
|
|
5ad689 |
+ ret = sss_certmap_add_rule(ctx, 96,
|
|
|
5ad689 |
+ "KRB5:<EKU>1.2.3",
|
|
|
5ad689 |
+ NULL, NULL);
|
|
|
5ad689 |
+ assert_int_equal(ret, 0);
|
|
|
5ad689 |
+ assert_non_null(ctx->prio_list);
|
|
|
5ad689 |
+ assert_non_null(ctx->prio_list->rule_list);
|
|
|
5ad689 |
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule);
|
|
|
5ad689 |
+ assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r,
|
|
|
5ad689 |
+ relation_and);
|
|
|
5ad689 |
+ assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->eku);
|
|
|
5ad689 |
+ assert_true(string_in_list("1.2.3",
|
|
|
5ad689 |
+ discard_const(
|
|
|
5ad689 |
+ ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list),
|
|
|
5ad689 |
+ true));
|
|
|
5ad689 |
+ assert_null(
|
|
|
5ad689 |
+ ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list[1]);
|
|
|
5ad689 |
+
|
|
|
5ad689 |
/* SAN tests */
|
|
|
5ad689 |
ret = sss_certmap_add_rule(ctx, 89, "KRB5:<SAN>abc", NULL, NULL);
|
|
|
5ad689 |
assert_int_equal(ret, 0);
|
|
|
5ad689 |
--
|
|
|
5ad689 |
2.13.5
|
|
|
5ad689 |
|