From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 23 Apr 2020 03:33:59 +0000 (+1200)
Subject: s4/ldap server: avoid NULL deref if search control has no data
X-Git-Tag: tevent-0.17.0~567
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=495ca09cb7643d9b68b03bb85a7dc8284ec8c906;p=thirdparty%2Fsamba.git

s4/ldap server: avoid NULL deref if search control has no data

We switch to ldb_request_replace_control() so that the old search
control is removed in the NULL data case.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>
---

diff --git a/source4/ldap_server/ldap_backend.c b/source4/ldap_server/ldap_backend.c
index 986bc1db941..7314e65778a 100644
--- a/source4/ldap_server/ldap_backend.c
+++ b/source4/ldap_server/ldap_backend.c
@@ -858,14 +858,18 @@ static NTSTATUS ldapsrv_SearchRequest(struct ldapsrv_call *call)
 		search_control = ldb_request_get_control(lreq, LDB_CONTROL_SEARCH_OPTIONS_OID);
 
 		search_options = NULL;
-		if (search_control) {
+		if (search_control != NULL && search_control->data != NULL) {
 			search_options = talloc_get_type(search_control->data, struct ldb_search_options_control);
 			search_options->search_options |= LDB_SEARCH_OPTION_PHANTOM_ROOT;
 		} else {
 			search_options = talloc(lreq, struct ldb_search_options_control);
 			NT_STATUS_HAVE_NO_MEMORY(search_options);
 			search_options->search_options = LDB_SEARCH_OPTION_PHANTOM_ROOT;
-			ldb_request_add_control(lreq, LDB_CONTROL_SEARCH_OPTIONS_OID, false, search_options);
+			ldb_request_replace_control(
+				lreq,
+				LDB_CONTROL_SEARCH_OPTIONS_OID,
+				false,
+				search_options);
 		}
 	} else {
 		ldb_request_add_control(lreq, DSDB_CONTROL_NO_GLOBAL_CATALOG, false, NULL);