s4:dsdb: Avoid possible underflows with new_len

Found by Covscan.

"Error: INTEGER_OVERFLOW (CWE-190):
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:403: tainted_data_argument: The check ""i < new_len"" contains the tainted expression ""i"" which causes ""new_len"" to be considered tainted.
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow: The expression ""new_len - i"" is deemed underflowed because at least one of its arguments has underflowed.
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow: The expression ""(new_len - i) * 8UL"" is deemed underflowed because at least one of its arguments has underflowed.
samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow_sink: ""(new_len - i) * 8UL"", which might have underflowed, is passed to ""memmove(val1, val2, (new_len - i) * 8UL)"". [Note: The source code implementation of the function has been overridden by a builtin model.]
  405|   			const char **val2 = &attr_list[i];
  406|   			if (ldb_attr_cmp(*val1, *val2) == 0) {
  407|-> 				memmove(val1, val2, (new_len - i) * sizeof( *attr_list));
  408|   				attr_list[new_len-1] = NULL;
  409|   				new_len--;"

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Signed-off-by: Martin Schwenke <mschwenke@ddn.com>

diff --git a/source4/dsdb/schema/schema_query.c b/source4/dsdb/schema/schema_query.c
index da491d5aae99e1212910cb4604f5642b571de911..aa906d03d4bbbbd4a2b130d7f5c7ceeb336b6ddf 100644 (file)
--- a/source4/dsdb/schema/schema_query.c
+++ b/source4/dsdb/schema/schema_query.c
@@ -402,7 +402,7 @@ static const char **dedup_attr_list(const char **attr_list)
                size_t i;
                TYPESAFE_QSORT(attr_list, new_len, qsort_string);
 
-               for (i=1; i < new_len; i++) {
+               for (i=1; new_len > 0 && i < new_len; i++) {
                        const char **val1 = &attr_list[i-1];
                        const char **val2 = &attr_list[i];
                        if (ldb_attr_cmp(*val1, *val2) == 0) {