CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer

Doing so is undefined behaviour. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
author: Joseph Sutton <josephsutton@catalyst.net.nz> 2022-02-17 11:13:38 +1300
committer: Jule Anger <janger@samba.org> 2022-07-24 11:41:53 +0200
commit: 4d2d30c21b16a53d5547cb803efe49cb6304ce37 (patch)
tree: 216a9136669fb1a5b5055ab60460f6acc41bc357
parent: 7c8427e5d2f247921ab44996829acfed1f5f2360 (diff)
download: samba-4d2d30c21b16a53d5547cb803efe49cb6304ce37.tar.gz
1 files changed, 8 insertions, 4 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
index 14947746837..35ae110b5ef 100644
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -1548,15 +1548,19 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx,
 
 	for (i = 0; i < msg->num_elements; i++) {
 		if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) {
+			const struct ldb_message_element *tmp_el = &msg->elements[i];
 			if ((operation == LDB_MODIFY) &&
-			    (LDB_FLAG_MOD_TYPE(msg->elements[i].flags)
+			    (LDB_FLAG_MOD_TYPE(tmp_el->flags)
 						== LDB_FLAG_MOD_DELETE)) {
 				continue;
 			}
+			if (tmp_el->values == NULL || tmp_el->num_values == 0) {
+				continue;
+			}
 			memcpy(v,
-			       msg->elements[i].values,
-			       msg->elements[i].num_values);
-			v += msg->elements[i].num_values;
+			       tmp_el->values,
+			       tmp_el->num_values);
+			v += tmp_el->num_values;
 		}
 	}
author	Joseph Sutton <josephsutton@catalyst.net.nz>	2022-02-17 11:13:38 +1300
committer	Jule Anger <janger@samba.org>	2022-07-24 11:41:53 +0200
commit	4d2d30c21b16a53d5547cb803efe49cb6304ce37 (patch)
tree	216a9136669fb1a5b5055ab60460f6acc41bc357
parent	7c8427e5d2f247921ab44996829acfed1f5f2360 (diff)
download	samba-4d2d30c21b16a53d5547cb803efe49cb6304ce37.tar.gz