CVE-2018-1057: s4:dsdb/password_hash: add a helper variable for passwordAttr->num_values

Bug: https://bugzilla.samba.org/show_bug.cgi?id=13272

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

1 files changed, 3 insertions, 6 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index bc1ef03db9d..1e7081b997a 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -3922,6 +3922,7 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r
 
 		while ((passwordAttr = ldb_msg_find_element(msg, *l)) != NULL) {
 			unsigned int mtype = LDB_FLAG_MOD_TYPE(passwordAttr->flags);
+			unsigned int nvalues = passwordAttr->num_values;
 
 			if (mtype == LDB_FLAG_MOD_DELETE) {
 				++del_attr_cnt;
@@ -3932,18 +3933,14 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r
 			if (mtype == LDB_FLAG_MOD_REPLACE) {
 				++rep_attr_cnt;
 			}
-			if ((passwordAttr->num_values != 1) &&
-			    (mtype == LDB_FLAG_MOD_ADD))
-			{
+			if ((nvalues != 1) && (mtype == LDB_FLAG_MOD_ADD)) {
 				talloc_free(ac);
 				ldb_asprintf_errstring(ldb,
 						       "'%s' attribute must have exactly one value on add operations!",
 						       *l);
 				return LDB_ERR_CONSTRAINT_VIOLATION;
 			}
-			if ((passwordAttr->num_values > 1) &&
-			    (mtype == LDB_FLAG_MOD_DELETE))
-			{
+			if ((nvalues > 1) && (mtype == LDB_FLAG_MOD_DELETE)) {
 				talloc_free(ac);
 				ldb_asprintf_errstring(ldb,
 						       "'%s' attribute must have zero or one value(s) on delete operations!",