s4:kdc: Ensure the value of h->len is accurate

If we exited this function early due to an error, h->len would contain
the number of elements that *ought* to be in h->val, but not all of
those elements must have been initialized. Subsequently trying to free
this partially-uninitialized structure with free_Keys() could have bad
results.

Avoid this by ensuring that h->len accurately reports the actual number
of initialized elements.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/sdb_to_hdb.c b/source4/kdc/sdb_to_hdb.c
index c5cc23fda7037344ef7155a0f37fdb06f16e5e29..fb84a963fec90a63917b57b16754c261eeff0437 100644 (file)
--- a/source4/kdc/sdb_to_hdb.c
+++ b/source4/kdc/sdb_to_hdb.c
@@ -130,19 +130,20 @@ static int sdb_keys_to_Keys(const struct sdb_keys *s, Keys *h)
 
        ZERO_STRUCTP(h);
 
-       h->len = s->len;
        if (s->val != NULL) {
-               h->val = malloc(h->len * sizeof(Key));
+               h->val = malloc(s->len * sizeof(Key));
                if (h->val == NULL) {
                        return ENOMEM;
                }
-               for (i = 0; i < h->len; i++) {
+               for (i = 0; i < s->len; i++) {
                        ret = sdb_key_to_Key(&s->val[i],
                                             &h->val[i]);
                        if (ret != 0) {
                                free_Keys(h);
                                return ENOMEM;
                        }
+
+                       ++h->len;
                }
        } else {
                h->val = NULL;