libndr: Do not overwrite token list with NULL on allocation failure

This was one part of the minimum patch for CVE-2019-14908 before
being downgraded as not a security-release worthy issue.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13876

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

diff --git a/librpc/ndr/ndr.c b/librpc/ndr/ndr.c
index 53f9a816f940c0f2229b5e3aa9f31a49e4e45bce..93f47e9b1c6eaad145caa308783f779ef10df70b 100644 (file)
--- a/librpc/ndr/ndr.c
+++ b/librpc/ndr/ndr.c
@@ -972,6 +972,7 @@ _PUBLIC_ enum ndr_err_code ndr_token_store(TALLOC_CTX *mem_ctx,
                        NDR_ERR_HAVE_NO_MEMORY(list->tokens);
                }
        } else {
+               struct ndr_token *new_tokens = NULL;
                uint32_t alloc_count = talloc_array_length(list->tokens);
                if (list->count == alloc_count) {
                        unsigned new_alloc;
@@ -980,11 +981,10 @@ _PUBLIC_ enum ndr_err_code ndr_token_store(TALLOC_CTX *mem_ctx,
                        if (new_alloc < alloc_count) {
                                return NDR_ERR_RANGE;
                        }
-                       list->tokens = talloc_realloc(mem_ctx, list->tokens,
-                                                     struct ndr_token, new_alloc);
-                       if (list->tokens == NULL) {
-                               NDR_ERR_HAVE_NO_MEMORY(list->tokens);
-                       }
+                       new_tokens = talloc_realloc(mem_ctx, list->tokens,
+                                                   struct ndr_token, new_alloc);
+                       NDR_ERR_HAVE_NO_MEMORY(new_tokens);
+                       list->tokens = new_tokens;
                }
        }
        list->tokens[list->count].key = key;