s4:dsdb/vlv_pagination: fix segfault in vlv_results()

It can happen that the vlv_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan 20 10:04:39 UTC 2022 on sn-devel-184

(cherry picked from commit 7d16a56b9d1cde8a5174381ef4924a2ea7be59bc)

Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Wed Jan 26 11:02:44 UTC 2022 on sn-devel-184

diff --git a/source4/dsdb/samdb/ldb_modules/vlv_pagination.c b/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
index d6d6039e849281389dd02ed58c76e632f8c0cd62..b389d3fd4f0b6c2935c0fa98a51b13458a340396 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
+++ b/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
@@ -389,6 +389,7 @@ static int vlv_calc_real_offset(int offset, int denominator, int n_entries)
 
 static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
 {
+       struct ldb_extended *response = (ares != NULL ? ares->response : NULL);
        struct ldb_vlv_resp_control *vlv;
        unsigned int num_ctrls;
        int ret, i, first_i, last_i;
@@ -399,7 +400,7 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
        if (ac->store == NULL) {
                ret = LDB_ERR_OPERATIONS_ERROR;
                return ldb_module_done(
-                       ac->req, ac->controls, ares->response, ret);
+                       ac->req, ac->controls, response, ret);
        }
 
        if (ac->store->first_ref) {
@@ -428,7 +429,7 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
                                return ldb_module_done(
                                        ac->req,
                                        ac->controls,
-                                       ares->response,
+                                       response,
                                        ret);
                        }
                } else {
@@ -440,7 +441,7 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
                                return ldb_module_done(
                                        ac->req,
                                        ac->controls,
-                                       ares->response,
+                                       response,
                                        ret);
                        }
                }
@@ -480,7 +481,7 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
                                return ldb_module_done(
                                        ac->req,
                                        ac->controls,
-                                       ares->response,
+                                       response,
                                        ret);
                        }
 
@@ -513,7 +514,7 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
        if (ac->controls == NULL) {
                ret = LDB_ERR_OPERATIONS_ERROR;
                return ldb_module_done(
-                       ac->req, ac->controls, ares->response, ret);
+                       ac->req, ac->controls, response, ret);
        }
        ac->controls[num_ctrls] = NULL;
 
@@ -525,7 +526,7 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
        if (ac->controls[i] == NULL) {
                ret = LDB_ERR_OPERATIONS_ERROR;
                return ldb_module_done(
-                       ac->req, ac->controls, ares->response, ret);
+                       ac->req, ac->controls, response, ret);
        }
 
        ac->controls[i]->oid = talloc_strdup(ac->controls[i],
@@ -533,7 +534,7 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
        if (ac->controls[i]->oid == NULL) {
                ret = LDB_ERR_OPERATIONS_ERROR;
                return ldb_module_done(
-                       ac->req, ac->controls, ares->response, ret);
+                       ac->req, ac->controls, response, ret);
        }
 
        ac->controls[i]->critical = 0;
@@ -542,7 +543,7 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
        if (vlv == NULL) {
                ret = LDB_ERR_OPERATIONS_ERROR;
                return ldb_module_done(
-                       ac->req, ac->controls, ares->response, ret);
+                       ac->req, ac->controls, response, ret);
        }
        ac->controls[i]->data = vlv;
 
@@ -891,6 +892,10 @@ static int vlv_search(struct ldb_module *module, struct ldb_request *req)
 
                ret = vlv_results(ac, NULL);
                if (ret != LDB_SUCCESS) {
+                       /*
+                        * vlv_results() will have called ldb_module_done
+                        * if there was an error.
+                        */
                        return ret;
                }
                return ldb_module_done(req, ac->controls, NULL,