From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 10 Aug 2023 04:52:13 +0000 (+1200)
Subject: s4:kdc: Ensure the value of h->len is accurate
X-Git-Tag: tevent-0.16.0~992
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7dd13e8d8e634af53186d400cd59de588b32bf22;p=thirdparty%2Fsamba.git

s4:kdc: Ensure the value of h->len is accurate

If we exited this function early due to an error, h->len would contain
the number of elements that *ought* to be in h->val, but not all of
those elements must have been initialized. Subsequently trying to free
this partially-uninitialized structure with free_Keys() could have bad
results.

Avoid this by ensuring that h->len accurately reports the actual number
of initialized elements.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/sdb_to_hdb.c b/source4/kdc/sdb_to_hdb.c
index c5cc23fda70..fb84a963fec 100644
--- a/source4/kdc/sdb_to_hdb.c
+++ b/source4/kdc/sdb_to_hdb.c
@@ -130,19 +130,20 @@ static int sdb_keys_to_Keys(const struct sdb_keys *s, Keys *h)
 
 	ZERO_STRUCTP(h);
 
-	h->len = s->len;
 	if (s->val != NULL) {
-		h->val = malloc(h->len * sizeof(Key));
+		h->val = malloc(s->len * sizeof(Key));
 		if (h->val == NULL) {
 			return ENOMEM;
 		}
-		for (i = 0; i < h->len; i++) {
+		for (i = 0; i < s->len; i++) {
 			ret = sdb_key_to_Key(&s->val[i],
 					     &h->val[i]);
 			if (ret != 0) {
 				free_Keys(h);
 				return ENOMEM;
 			}
+
+			++h->len;
 		}
 	} else {
 		h->val = NULL;