s4:dsdb/paged_results: fix segfault in paged_results()

It can happen that the paged_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.

We also should not call ldb_module_done() if paged_results()
fails, as it was already called.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit 19fa22b1fbcf33dbc4defe4dd2e487a642786c49)

diff --git a/source4/dsdb/samdb/ldb_modules/paged_results.c b/source4/dsdb/samdb/ldb_modules/paged_results.c
index 3eea3236e7dc4946d94c18d7bda0510cad083501..2063e84e1579a2c4263c71b24f79b7210aed99d1 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/paged_results.c
+++ b/source4/dsdb/samdb/ldb_modules/paged_results.c
@@ -239,6 +239,7 @@ static int paged_search_by_dn_guid(struct ldb_module *module,
 
 static int paged_results(struct paged_context *ac, struct ldb_reply *ares)
 {
+       struct ldb_extended *response = (ares != NULL ? ares->response : NULL);
        struct ldb_paged_control *paged;
        unsigned int i, num_ctrls;
        int ret;
@@ -246,7 +247,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares)
        if (ac->store == NULL) {
                ret = LDB_ERR_OPERATIONS_ERROR;
                return ldb_module_done(
-                       ac->req, ac->controls, ares->response, ret);
+                       ac->req, ac->controls, response, ret);
        }
 
        while (ac->store->last_i < ac->store->num_entries && ac->size > 0) {
@@ -276,7 +277,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares)
                        continue;
                } else if (ret != LDB_SUCCESS) {
                        return ldb_module_done(
-                               ac->req, ac->controls, ares->response, ret);
+                               ac->req, ac->controls, response, ret);
                }
 
                ret = ldb_module_send_entry(ac->req, result->msgs[0],
@@ -318,7 +319,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares)
        if (ac->controls == NULL) {
                ret = LDB_ERR_OPERATIONS_ERROR;
                return ldb_module_done(
-                       ac->req, ac->controls, ares->response, ret);
+                       ac->req, ac->controls, response, ret);
        }
        ac->controls[num_ctrls] = NULL;
 
@@ -331,7 +332,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares)
        if (ac->controls[i] == NULL) {
                ret = LDB_ERR_OPERATIONS_ERROR;
                return ldb_module_done(
-                       ac->req, ac->controls, ares->response, ret);
+                       ac->req, ac->controls, response, ret);
        }
 
        ac->controls[i]->oid = talloc_strdup(ac->controls[i],
@@ -339,7 +340,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares)
        if (ac->controls[i]->oid == NULL) {
                ret = LDB_ERR_OPERATIONS_ERROR;
                return ldb_module_done(
-                       ac->req, ac->controls, ares->response, ret);
+                       ac->req, ac->controls, response, ret);
        }
 
        ac->controls[i]->critical = 0;
@@ -348,7 +349,7 @@ static int paged_results(struct paged_context *ac, struct ldb_reply *ares)
        if (paged == NULL) {
                ret = LDB_ERR_OPERATIONS_ERROR;
                return ldb_module_done(
-                       ac->req, ac->controls, ares->response, ret);
+                       ac->req, ac->controls, response, ret);
        }
 
        ac->controls[i]->data = paged;
@@ -803,7 +804,11 @@ static int paged_search(struct ldb_module *module, struct ldb_request *req)
 
                ret = paged_results(ac, NULL);
                if (ret != LDB_SUCCESS) {
-                       return ldb_module_done(req, NULL, NULL, ret);
+                       /*
+                        * paged_results() will have called ldb_module_done
+                        * if an error occurred
+                        */
+                       return ret;
                }
                return ldb_module_done(req, ac->controls, NULL, LDB_SUCCESS);
        }