CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer

Doing so is undefined behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>

diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
index 14947746837557dc70b2339461c70a4a3eb1ac0f..35ae110b5efc7fec89eecfb8fb6328a9c36953b0 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -1548,15 +1548,19 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx,
 
        for (i = 0; i < msg->num_elements; i++) {
                if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) {
+                       const struct ldb_message_element *tmp_el = &msg->elements[i];
                        if ((operation == LDB_MODIFY) &&
-                           (LDB_FLAG_MOD_TYPE(msg->elements[i].flags)
+                           (LDB_FLAG_MOD_TYPE(tmp_el->flags)
                                                == LDB_FLAG_MOD_DELETE)) {
                                continue;
                        }
+                       if (tmp_el->values == NULL || tmp_el->num_values == 0) {
+                               continue;
+                       }
                        memcpy(v,
-                              msg->elements[i].values,
-                              msg->elements[i].num_values);
-                       v += msg->elements[i].num_values;
+                              tmp_el->values,
+                              tmp_el->num_values);
+                       v += tmp_el->num_values;
                }
        }