Home Esplora Aiuto
Accedi
RONCC
/
Big-Data-HPC-Platform
Segui 1
Vota 0
Forka 0
File Problemi 0 Pull Requests 0 Wiki
Sfoglia il codice sorgente

HPCC-17042 Coverity: Fix numerous LDAP issue found by Coverity

Coverity test suite noted numerous problems in the LDAP code. This PR fixes
those problems. Note that a later run of Coverity may uncover other problems
or not be satisfied with the fixes provided herein.

Signed-off-by: Russ Whitehead <william.whitehead@lexisnexis.com>
Russ Whitehead 8 anni fa
parent
25778ec32e
commit
d9c60ac50f
6 ha cambiato i file con 34 aggiunte e 15 eliminazioni
Visualizzazione separata Mostra Diff Stats
  1. 7 2
      system/security/LdapSecurity/aci.cpp
  2. 18 5
      system/security/LdapSecurity/ldapconnection.cpp
  3. 4 0
      system/security/LdapSecurity/ldapsecurity.cpp
  4. 1 6
      system/security/LdapSecurity/permissions.cpp
  5. 0 1
      system/security/LdapSecurity/permissions.hpp
  6. 4 1
      system/security/shared/caching.hpp

+ 7 - 2
system/security/LdapSecurity/aci.cpp
Vedi File 

@@ -441,6 +441,9 @@ public:
 
         const char* bptr = acistr;
 
         const char* eptr = acistr;
 
 
+        m_isDeny = false;//set later in this ctor
 
+        m_permission = NewSecAccess_None;//set later in this ctor
 
+
 
         // <OID>
 
         while(*bptr == ' ')
 
             bptr++;
 
@@ -510,7 +513,6 @@ public:
 
         }
 
 
         //calculate the secperm
 
-        m_permission = 0;
 
         if(strchr(m_perms.str(), 'r') != NULL && strchr(m_perms.str(), 'w') != NULL && strchr(m_perms.str(), 'd') != NULL)
 
         {
 
             m_permission |= NewSecAccess_Full;
 
@@ -895,6 +897,8 @@ AciProcessor::AciProcessor(IPropertyTree* cfg)
 
 
     m_sidcache.setown(createPTree());
 
     m_cfg->getProp(".//@ldapAddress", m_server);
 
+    m_ldap_client = nullptr;
 
+    m_servertype = LDAPSERVER_UNKNOWN;
 
 }
 
 
 bool AciProcessor::getPermissions(ISecUser& user, IArrayOf<CSecurityDescriptor>& sdlist, IArrayOf<ISecResource>& resources)
 
@@ -972,7 +976,7 @@ void AciProcessor::cacheSid(const char* name, int len, const void* sidbuf)
 
 void AciProcessor::lookupSid(const char* act_name, MemoryBuffer& act_sid, ACT_TYPE acttype)
 
 {
 
     throw MakeStringException(-1, "You shouldn't need function lookupSid");
 
-
 
+/*preserve dead code for reference
 
     act_sid.clear();
 
 
     MemoryBuffer mb;
 
@@ -989,6 +993,7 @@ void AciProcessor::lookupSid(const char* act_name, MemoryBuffer& act_sid, ACT_TY
 
             cacheSid(act_name, act_sid.length(), (const void*)act_sid.toByteArray());
 
         }
 
     }
 
+*/
 
 }
 
 
 int AciProcessor::sdSegments(CSecurityDescriptor* sd)

+ 18 - 5
system/security/LdapSecurity/ldapconnection.cpp
Vedi File 

@@ -140,6 +140,7 @@ public:
 
     CHostManager()
 
     {
 
         m_populated = false;
 
+        m_curHostIdx = 0;
 
     }
 
 
     void populateHosts(const char* addrlist)
 
@@ -773,7 +774,7 @@ public:
 
             m_useSSL = (0 == stricmp(proto, "ldaps") ? true : false);
 
         }
 
 
-        int rc;
 
+        int rc = LDAP_SERVER_DOWN;//assume bad things
 
         StringBuffer hostbuf;
 
         for (int numHosts=0; numHosts < m_ldapconfig->getHostCount(); numHosts++)
 
         {
 
@@ -1400,6 +1401,7 @@ public:
 
         m_pp = NULL;
 
         //m_defaultFileScopePermission = -2;
 
         //m_defaultWorkunitScopePermission = -2;
 
+        m_domainPwdsNeverExpire = false;
 
     }
 
 
     virtual void init(IPermissionProcessor* pp)
 
@@ -1935,6 +1937,10 @@ public:
 
         if(infotype && stricmp(infotype, "sudoers") == 0)
 
         {
 
             CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
 
+            if (ldapuser == nullptr)
 
+            {
 
+                throw MakeStringException(-1, "Unable to cast input user variable");
 
+            }
 
 
             TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
 
             Owned<ILdapConnection> lconn = m_connections->getConnection();
 
@@ -2185,12 +2191,13 @@ public:
 
         // Since we've got the SID for the user, cache it for later uses.
 
         MemoryBuffer mb;
 
         if(m_pp != NULL)
 
-            m_pp->getCachedSid(ldapuser->getName(), mb);
 
-        if(mb.length() == 0)
 
         {
 
-            m_pp->cacheSid(ldapuser->getName(), usersidbuf.length(), usersidbuf.toByteArray());
 
+            m_pp->getCachedSid(ldapuser->getName(), mb);
 
+            if(mb.length() == 0)
 
+            {
 
+                m_pp->cacheSid(ldapuser->getName(), usersidbuf.length(), usersidbuf.toByteArray());
 
+            }
 
         }
 
-
 
         return ldapuser;
 
     }
 
 
@@ -2991,6 +2998,10 @@ public:
 
         else if(stricmp(type, "sudoersupdate") == 0)
 
         {
 
             CLdapSecUser* ldapuser = dynamic_cast<CLdapSecUser*>(&user);
 
+            if (ldapuser == nullptr)
 
+            {
 
+                throw MakeStringException(-1, "Unable to cast input user variable");
 
+            }
 
 
             char* sudoHost = (char*)ldapuser->getSudoHost();
 
             char* sudoCommand = (char*)ldapuser->getSudoCommand();
 
@@ -5354,6 +5365,8 @@ private:
 
         while(nextptr != NULL)
 
         {
 
             prevptr = nextptr + 2;
 
+            if (prevptr == nullptr)
 
+                break;//could happen if resource contains trailing ::
 
             nextptr = strstr(prevptr, "::");
 
         }
 
         if(prevptr != NULL && *prevptr != '\0')

+ 4 - 0
system/security/LdapSecurity/ldapsecurity.cpp
Vedi File 

@@ -28,6 +28,10 @@ CLdapSecUser::CLdapSecUser(const char *name, const char *pw) :
 
     m_pw(pw), m_authenticateStatus(AS_UNKNOWN)
 
 {
 
     setName(name);
 
+    m_userid = 0;
 
+    m_posixenabled = false;
 
+    m_sudoersenabled = false;
 
+    m_insudoers = false;
 
 }
 
 
 CLdapSecUser::~CLdapSecUser()

+ 1 - 6
system/security/LdapSecurity/permissions.cpp
Vedi File 

@@ -58,6 +58,7 @@ PermissionProcessor::PermissionProcessor(IPropertyTree* config)
 
 
     m_sidcache.setown(createPTree());
 
     m_cfg->getProp(".//@ldapAddress", m_server);
 
+    m_ldap_client = nullptr;
 
 }
 
 
 SecAccessFlags PermissionProcessor::ldap2sec(unsigned ldapperm)
 
@@ -406,12 +407,6 @@ bool GetAclInformation(PACL pAcl, void* pAclInformation, DWORD nAclInformationLe
 
         return false;
 
     }
 
 
-    if(pAcl == NULL)
 
-    {
 
-        DBGLOG("GetAclInformation: PACL is NULL");
 
-        return false;
 
-    }
 
-
 
     PACL_SIZE_INFORMATION pinfo = (PACL_SIZE_INFORMATION)pAclInformation;
 
     pinfo->AceCount = pAcl->AceCount;

+ 0 - 1
system/security/LdapSecurity/permissions.hpp
Vedi File 

@@ -34,7 +34,6 @@ private:
 
     StringAttr   m_name;
 
     StringAttr   m_relativeBasedn;
 
     MemoryBuffer m_descriptor;
 
-    unsigned     m_permissions;
 
     StringAttr   m_dn;
 
     StringAttr   m_objectClass;

+ 4 - 1
system/security/shared/caching.hpp
Vedi File 

@@ -130,6 +130,9 @@ public:
 
 
 // main cache that stores all user-specific caches (defined by CResPermissionsCache above)
 
 //
 
+
 
+#define DEFAULT_CACHE_TIMEOUT_SECONDS 10
 
+
 
 class CPermissionsCache : public CInterface
 
 {
 
 public:
 
@@ -141,6 +144,7 @@ public:
 
         m_lastManagedFileScopesRefresh = 0;
 
         m_defaultPermission = SecAccess_Unknown;
 
         m_secMgrClass.set(_secMgrClass);
 
+        m_transactionalCacheTimeout = DEFAULT_CACHE_TIMEOUT_SECONDS;
 
     }
 
 
     virtual ~CPermissionsCache();
 
@@ -167,7 +171,6 @@ public:
 
     virtual void add (ISecUser& sec_user);
 
     virtual void removeFromUserCache(ISecUser& sec_user);
 
 
-#define DEFAULT_CACHE_TIMEOUT_SECONDS 10
 
     void  setCacheTimeout(int timeoutSeconds)
 
     {
 
         m_cacheTimeout = timeoutSeconds;