From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 16 Feb 2022 22:13:38 +0000 (+1300)
Subject: CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer
X-Git-Tag: samba-4.14.14~84
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4d2d30c21b16a53d5547cb803efe49cb6304ce37;p=thirdparty%2Fsamba.git

CVE-2022-32745 s4/dsdb/util: Don't call memcpy() with a NULL pointer

Doing so is undefined behaviour.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---

diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
index 14947746837..35ae110b5ef 100644
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -1548,15 +1548,19 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx,
 
 	for (i = 0; i < msg->num_elements; i++) {
 		if (ldb_attr_cmp(msg->elements[i].name, attr_name) == 0) {
+			const struct ldb_message_element *tmp_el = &msg->elements[i];
 			if ((operation == LDB_MODIFY) &&
-			    (LDB_FLAG_MOD_TYPE(msg->elements[i].flags)
+			    (LDB_FLAG_MOD_TYPE(tmp_el->flags)
 						== LDB_FLAG_MOD_DELETE)) {
 				continue;
 			}
+			if (tmp_el->values == NULL || tmp_el->num_values == 0) {
+				continue;
+			}
 			memcpy(v,
-			       msg->elements[i].values,
-			       msg->elements[i].num_values);
-			v += msg->elements[i].num_values;
+			       tmp_el->values,
+			       tmp_el->num_values);
+			v += tmp_el->num_values;
 		}
 	}