From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Sun, 7 Apr 2019 22:33:07 +0000 (+1200)
Subject: ldb_msg: remove_element() checks element array bounds
X-Git-Tag: tdb-1.4.1~94
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=06a02cb88c88c0ba9af5a2eeba722c0b5878cccd;p=thirdparty%2Fsamba.git

ldb_msg: remove_element() checks element array bounds

Previously we half-heartedly checked one end.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c
index b51e4b1059e..2346e66ec39 100644
--- a/lib/ldb/common/ldb_msg.c
+++ b/lib/ldb/common/ldb_msg.c
@@ -1222,14 +1222,14 @@ int ldb_msg_copy_attr(struct ldb_message *msg, const char *attr, const char *rep
 void ldb_msg_remove_element(struct ldb_message *msg, struct ldb_message_element *el)
 {
 	ptrdiff_t n = (el - msg->elements);
-	if (n >= msg->num_elements) {
-		/* should we abort() here? */
+	if (n >= msg->num_elements || n < 0) {
+		/* the element is not in the list. the caller is crazy. */
 		return;
 	}
-	if (n != msg->num_elements-1) {
-		memmove(el, el+1, ((msg->num_elements-1) - n)*sizeof(*el));
-	}
 	msg->num_elements--;
+	if (n != msg->num_elements) {
+		memmove(el, el+1, (msg->num_elements - n)*sizeof(*el));
+	}
 }