From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 3 Jun 2022 04:16:31 +0000 (+1200)
Subject: CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element
X-Git-Tag: samba-4.14.14~83
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=65d96369fa4f915f01e203cfc8b15e48c5b4b440;p=thirdparty%2Fsamba.git

CVE-2022-32745 s4/dsdb/util: Correctly copy values into message element

To use memcpy(), we need to specify the number of bytes to copy, rather
than the number of ldb_val structures.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15008

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---

diff --git a/source4/dsdb/samdb/ldb_modules/util.c b/source4/dsdb/samdb/ldb_modules/util.c
index 35ae110b5ef..e7fe8f855df 100644
--- a/source4/dsdb/samdb/ldb_modules/util.c
+++ b/source4/dsdb/samdb/ldb_modules/util.c
@@ -1559,7 +1559,7 @@ int dsdb_get_expected_new_values(TALLOC_CTX *mem_ctx,
 			}
 			memcpy(v,
 			       tmp_el->values,
-			       tmp_el->num_values);
+			       tmp_el->num_values * sizeof(*v));
 			v += tmp_el->num_values;
 		}
 	}