ldb_msg: remove_element() checks element array bounds
authorDouglas Bagnall <douglas.bagnall@catalyst.net.nz>
Sun, 7 Apr 2019 22:33:07 +0000 (10:33 +1200)
committerAndrew Bartlett <abartlet@samba.org>
Fri, 10 May 2019 01:15:18 +0000 (01:15 +0000)
Previously we half-heartedly checked one end.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
lib/ldb/common/ldb_msg.c

index b51e4b1..2346e66 100644 (file)
@@ -1222,14 +1222,14 @@ int ldb_msg_copy_attr(struct ldb_message *msg, const char *attr, const char *rep
 void ldb_msg_remove_element(struct ldb_message *msg, struct ldb_message_element *el)
 {
        ptrdiff_t n = (el - msg->elements);
-       if (n >= msg->num_elements) {
-               /* should we abort() here? */
+       if (n >= msg->num_elements || n < 0) {
+               /* the element is not in the list. the caller is crazy. */
                return;
        }
-       if (n != msg->num_elements-1) {
-               memmove(el, el+1, ((msg->num_elements-1) - n)*sizeof(*el));
-       }
        msg->num_elements--;
+       if (n != msg->num_elements) {
+               memmove(el, el+1, (msg->num_elements - n)*sizeof(*el));
+       }
 }