r23993: Attempt to fix bug #4808, reported by mwallnoefer@yahoo.de. The issue

is that when we all ldb_msg_add_empty(), we might realloc() the
msg->elements array.  We need to ensure the source pointer (when
copying an element from the same msg) is still valid, or the data
copied.

Andrew Bartlett
(This used to be commit 0fbea30577233d00e7c6cdd4faaece0f99fc57b1)

diff --git a/source4/lib/ldb/common/ldb_msg.c b/source4/lib/ldb/common/ldb_msg.c
index 69a2ab749b9c487495a5ded73f8b2955024d188b..e9c04df55a8538ef012dab33d5d0389a3f74f498 100644 (file)
--- a/source4/lib/ldb/common/ldb_msg.c
+++ b/source4/lib/ldb/common/ldb_msg.c
@@ -162,11 +162,14 @@ int ldb_msg_add(struct ldb_message *msg,
                const struct ldb_message_element *el, 
                int flags)
 {
+       /* We have to copy this, just in case *el is a pointer into
+        * what ldb_msg_add_empty() is about to realloc() */
+       struct ldb_message_element el_copy = *el;
        if (ldb_msg_add_empty(msg, el->name, flags, NULL) != 0) {
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
-       msg->elements[msg->num_elements-1] = *el;
+       msg->elements[msg->num_elements-1] = el_copy;
        msg->elements[msg->num_elements-1].flags = flags;
 
        return LDB_SUCCESS;