From 17dd13bb4bc9bd38f663c376ee73de6598715da7 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 30 Apr 2024 14:27:54 +0200 Subject: [PATCH] lib:ldb: Add missing overflow check in ldb_msg_normalize() Error: INTEGER_OVERFLOW (CWE-190): ldb-2.9.0/common/ldb_msg.c:1235: tainted_data_argument: The check "i < msg2->num_elements" contains the tainted expression "i" which causes "msg2->num_elements" to be considered tainted. ldb-2.9.0/common/ldb_msg.c:1253: overflow: The expression "msg2->num_elements - (i + 1U)" is deemed underflowed because at least one of its arguments has underflowed. ldb-2.9.0/common/ldb_msg.c:1253: overflow: The expression "32UL * (msg2->num_elements - (i + 1U))" is deemed underflowed because at least one of its arguments has underflowed. ldb-2.9.0/common/ldb_msg.c:1253: overflow_sink: "32UL * (msg2->num_elements - (i + 1U))", which might have underflowed, is passed to "memmove(el2, el2 + 1, 32UL * (msg2->num_elements - (i + 1U)))". [Note: The source code implementation of the function has been overridden by a builtin model.] 1251| talloc_free(discard_const_p(char, el2->name)); 1252| if ((i+1) < msg2->num_elements) { 1253|-> memmove(el2, el2+1, sizeof(struct ldb_message_element) * 1254| (msg2->num_elements - (i+1))); 1255| } Signed-off-by: Andreas Schneider Reviewed-by: Volker Lendecke --- lib/ldb/common/ldb_msg.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c index bbb7ff96233..8477ab2b00b 100644 --- a/lib/ldb/common/ldb_msg.c +++ b/lib/ldb/common/ldb_msg.c @@ -1256,7 +1256,7 @@ int ldb_msg_normalize(struct ldb_context *ldb, sizeof(struct ldb_val) * el2->num_values); el1->num_values += el2->num_values; talloc_free(discard_const_p(char, el2->name)); - if ((i+1) < msg2->num_elements) { + if ((i + 1 > i) && ((i + 1) < msg2->num_elements)) { memmove(el2, el2+1, sizeof(struct ldb_message_element) * (msg2->num_elements - (i+1))); } -- 2.47.3