[SSSD] [sssd PR#137][comment] Initial pkinit support

jhrozek Mon, 06 Feb 2017 10:52:02 -0800

  URL: https://github.com/SSSD/sssd/pull/137
Title: #137: Initial pkinit support


jhrozek commented:
"""
There are some Coverity warnings:
```
Error: UNINIT (CWE-457):
sssd-1.15.1/src/p11_child/p11_child_nss.c:112: var_decl: Declaring variable 
"key_id_str" without initializer.
sssd-1.15.1/src/p11_child/p11_child_nss.c:482: uninit_use_in_call: Using 
uninitialized value "key_id_str" when calling "PORT_Free".
#  480|   
#  481|       SECITEM_FreeItem(key_id, PR_TRUE);
#  482|->     PORT_Free(key_id_str);
#  483|   
#  484|       PORT_Free(signed_random_value.data);

Error: COMPILER_WARNING:
sssd-1.15.1/src/p11_child/p11_child_nss.c: scope_hint: In function 'do_work'
sssd-1.15.1/src/p11_child/p11_child_nss.c:482:5: warning: 'key_id_str' may be 
used uninitialized in this function [-Wmaybe-uninitialized]
#     PORT_Free(key_id_str);
#     ^
#  480|   
#  481|       SECITEM_FreeItem(key_id, PR_TRUE);
#  482|->     PORT_Free(key_id_str);
#  483|   
#  484|       PORT_Free(signed_random_value.data);

Error: NEGATIVE_RETURNS (CWE-394):
sssd-1.15.1/src/providers/krb5/krb5_child.c:1836: negative_return_fn: Function 
"get_and_save_tgt(kr, newpassword)" returns a negative number.
sssd-1.15.1/src/providers/krb5/krb5_child.c:1484:9: return_negative_constant: 
Explicitly returning negative value "-1765328324".
sssd-1.15.1/src/providers/krb5/krb5_child.c:1836: var_assign: Assigning: signed 
variable "kerr" = "get_and_save_tgt".
sssd-1.15.1/src/providers/krb5/krb5_child.c:1844: negative_returns: "kerr" is 
passed to a parameter that cannot be negative.
sssd-1.15.1/src/providers/krb5/krb5_child.c:1603:9: neg_sink_parm_call: Passing 
"kerr" to "sss_strerror", which cannot accept a negative number.
sssd-1.15.1/src/util/util_errors.c:117:5: neg_sink_parm_call: Passing "error" 
to "strerror", which cannot accept a negative number.
# 1842|           kerr = k5c_attach_ccname_msg(kr);
# 1843|       }
# 1844|->     return map_krb5_error(kerr);
# 1845|   }
# 1846|   

Error: NEGATIVE_RETURNS (CWE-394):
sssd-1.15.1/src/providers/krb5/krb5_child.c:1878: negative_return_fn: Function 
"get_and_save_tgt(kr, password)" returns a negative number.
sssd-1.15.1/src/providers/krb5/krb5_child.c:1484:9: return_negative_constant: 
Explicitly returning negative value "-1765328324".
sssd-1.15.1/src/providers/krb5/krb5_child.c:1878: var_assign: Assigning: signed 
variable "kerr" = "get_and_save_tgt".
sssd-1.15.1/src/providers/krb5/krb5_child.c:1913: negative_returns: "kerr" is 
passed to a parameter that cannot be negative.
sssd-1.15.1/src/providers/krb5/krb5_child.c:1603:9: neg_sink_parm_call: Passing 
"kerr" to "sss_strerror", which cannot accept a negative number.
sssd-1.15.1/src/util/util_errors.c:117:5: neg_sink_parm_call: Passing "error" 
to "strerror", which cannot accept a negative number.
# 1911|               }
# 1912|           }
# 1913|->         ret = map_krb5_error(kerr);
# 1914|           goto done;
# 1915|       }

Error: UNUSED_VALUE (CWE-563):
sssd-1.15.1/src/responder/pam/pamsrv_cmd.c:1505: value_overwrite: Overwriting 
previous write to "ret" with value from "pam_check_user_search(preq)".
sssd-1.15.1/src/responder/pam/pamsrv_cmd.c:1507: value_overwrite: Overwriting 
previous write to "ret" with value "0".
sssd-1.15.1/src/responder/pam/pamsrv_cmd.c:1488: returned_value: Assigning 
value from "sss_parse_name_for_domains(preq->pd, preq->cctx->rctx->domains, 
preq->cctx->rctx->default_domain, cert_user, &preq->pd->domain, 
&preq->pd->user)" to "ret" here, but that stored value is overwritten before it 
can be used.
# 1486|                                       cert_user);
# 1487|   
# 1488|->             ret = sss_parse_name_for_domains(preq->pd,
# 1489|                                                
preq->cctx->rctx->domains,
# 1490|                                                
preq->cctx->rctx->default_domain,

Error: UNINIT (CWE-457):
sssd-1.15.1/src/util/authtok.c:597: var_decl: Declaring variable "key_id_len" 
without initializer.
sssd-1.15.1/src/util/authtok.c:665: uninit_use: Using uninitialized value 
"key_id_len".
#  663|       }
#  664|   
#  665|->     if (key_id_len != 0) {
#  666|           *key_id = talloc_strndup(mem_ctx,
#  667|                                         (const char *) blob + c + 
pin_len

Error: COMPILER_WARNING:
sssd-1.15.1/src/util/authtok.c: scope_hint: In function 
'sss_auth_unpack_sc_blob'
sssd-1.15.1/src/util/authtok.c:666:19: warning: 'key_id_len' may be used 
uninitialized in this function [-Wmaybe-uninitialized]
#         *key_id = talloc_strndup(mem_ctx,
#                   ^
#  664|   
#  665|       if (key_id_len != 0) {
#  666|->         *key_id = talloc_strndup(mem_ctx,
#  667|                                         (const char *) blob + c + 
pin_len
#  668|                                                                 + 
token_name_len
```
"""

See the full comment at 
https://github.com/SSSD/sssd/pull/137#issuecomment-277775771

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

[SSSD] [sssd PR#137][comment] Initial pkinit support

Reply via email to