diff options
author | Dmitry Antipov <dantipov@cloudlinux.com> | 2023-05-02 13:43:54 +0300 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2023-05-09 01:59:32 +0000 |
commit | 46ae5568fa7b9a96018d0eedadee6400632112ba (patch) | |
tree | d9bd16a968cf68eb72cd324b6df568783d718d62 | |
parent | 5fcb675a8b064aa6b2a2529703ed7911bff3bb04 (diff) | |
download | samba-46ae5568fa7b9a96018d0eedadee6400632112ba.tar.gz |
lib:ldb: do not offset against NULL pointer in ldb_ldif_read()
Fix the following error observed running samba.test.registry
compiled with clang-17 and UBsan:
lib/ldb/common/ldb_ldif.c:881:9: runtime error: applying non-zero offset 137438953440 to null pointer
#0 0x7faa0eb3932f in ldb_ldif_read lib/ldb/common/ldb_ldif.c:881
#1 0x7faa0eb3aec6 in ldb_ldif_read_string lib/ldb/common/ldb_ldif.c:1004
#2 0x7faa077ed759 in dsdb_set_schema_from_ldif source4/dsdb/schema/schema_set.c:1113
#3 0x7faa068fcbbf in py_dsdb_set_schema_from_ldif source4/dsdb/pydsdb.c:929
#4 0x7faa1d1d4507 in cfunction_call (/lib64/libpython3.11.so.1.0+0x1d4507)
[... a lot of Python calls skipped...]
I.e. number of elements should be checked against zero
before making an attempt to access an element by index.
Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-rw-r--r-- | lib/ldb/common/ldb_ldif.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/lib/ldb/common/ldb_ldif.c b/lib/ldb/common/ldb_ldif.c index 748e44ed2b9..96237dd0abf 100644 --- a/lib/ldb/common/ldb_ldif.c +++ b/lib/ldb/common/ldb_ldif.c @@ -878,12 +878,12 @@ struct ldb_ldif *ldb_ldif_read(struct ldb_context *ldb, continue; } - el = &msg->elements[msg->num_elements-1]; - a = ldb_schema_attribute_by_name(ldb, attr); + el = (msg->num_elements > 0 + ? &msg->elements[msg->num_elements - 1] + : NULL); - if (msg->num_elements > 0 && ldb_attr_cmp(attr, el->name) == 0 && - flags == el->flags) { + if (el && ldb_attr_cmp(attr, el->name) == 0 && flags == el->flags) { /* its a continuation */ el->values = talloc_realloc(msg->elements, el->values, |