certmap: make sure eku_oid_list is always allocated

If there are only OIDs in a <EKU> part of a matching rule a NULL pointer
dereference might occur.

Related to https://pagure.io/SSSD/sssd/issue/3508

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

1 files changed, 17 insertions, 0 deletions

diff --git a/src/tests/cmocka/test_certmap.c b/src/tests/cmocka/test_certmap.c
index f1e73875b..6ab310326 100644
--- a/src/tests/cmocka/test_certmap.c
+++ b/src/tests/cmocka/test_certmap.c
@@ -449,6 +449,23 @@ static void test_sss_certmap_add_matching_rule(void **state)
     assert_null(
             ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list[3]);
 
+    ret = sss_certmap_add_rule(ctx, 96,
+                               "KRB5:<EKU>1.2.3",
+                               NULL, NULL);
+    assert_int_equal(ret, 0);
+    assert_non_null(ctx->prio_list);
+    assert_non_null(ctx->prio_list->rule_list);
+    assert_non_null(ctx->prio_list->rule_list->parsed_match_rule);
+    assert_int_equal(ctx->prio_list->rule_list->parsed_match_rule->r,
+                     relation_and);
+    assert_non_null(ctx->prio_list->rule_list->parsed_match_rule->eku);
+    assert_true(string_in_list("1.2.3",
+              discard_const(
+               ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list),
+              true));
+    assert_null(
+            ctx->prio_list->rule_list->parsed_match_rule->eku->eku_oid_list[1]);
+
     /* SAN tests */
     ret = sss_certmap_add_rule(ctx, 89, "KRB5:<SAN>abc", NULL, NULL);
     assert_int_equal(ret, 0);