From: Andreas Schneider Date: Tue, 30 Apr 2024 12:27:54 +0000 (+0200) Subject: lib:ldb: Add missing overflow check in ldb_msg_normalize() X-Git-Tag: tdb-1.4.11~902 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=17dd13bb4bc9bd38f663c376ee73de6598715da7;p=thirdparty%2Fsamba.git lib:ldb: Add missing overflow check in ldb_msg_normalize() Error: INTEGER_OVERFLOW (CWE-190): ldb-2.9.0/common/ldb_msg.c:1235: tainted_data_argument: The check "i < msg2->num_elements" contains the tainted expression "i" which causes "msg2->num_elements" to be considered tainted. ldb-2.9.0/common/ldb_msg.c:1253: overflow: The expression "msg2->num_elements - (i + 1U)" is deemed underflowed because at least one of its arguments has underflowed. ldb-2.9.0/common/ldb_msg.c:1253: overflow: The expression "32UL * (msg2->num_elements - (i + 1U))" is deemed underflowed because at least one of its arguments has underflowed. ldb-2.9.0/common/ldb_msg.c:1253: overflow_sink: "32UL * (msg2->num_elements - (i + 1U))", which might have underflowed, is passed to "memmove(el2, el2 + 1, 32UL * (msg2->num_elements - (i + 1U)))". [Note: The source code implementation of the function has been overridden by a builtin model.] 1251| talloc_free(discard_const_p(char, el2->name)); 1252| if ((i+1) < msg2->num_elements) { 1253|-> memmove(el2, el2+1, sizeof(struct ldb_message_element) * 1254| (msg2->num_elements - (i+1))); 1255| } Signed-off-by: Andreas Schneider Reviewed-by: Volker Lendecke --- diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c index bbb7ff96233..8477ab2b00b 100644 --- a/lib/ldb/common/ldb_msg.c +++ b/lib/ldb/common/ldb_msg.c @@ -1256,7 +1256,7 @@ int ldb_msg_normalize(struct ldb_context *ldb, sizeof(struct ldb_val) * el2->num_values); el1->num_values += el2->num_values; talloc_free(discard_const_p(char, el2->name)); - if ((i+1) < msg2->num_elements) { + if ((i + 1 > i) && ((i + 1) < msg2->num_elements)) { memmove(el2, el2+1, sizeof(struct ldb_message_element) * (msg2->num_elements - (i+1))); }