source4/dsdb: Fix NULL dereference in vlv_results()

When vlv_search_by_dn_guid() returns an error other than
LDB_SUCCESS, the result pointer remains uninitialized. The
subsequent condition uses OR logic that only guards result->count
when ret equals LDAP_NO_SUCH_OBJECT. For any other error code,
result remains NULL and is dereferenced, causing a NULL pointer
dereference.

Fix by reorganizing the if condition to ensure the dereferencing
statement only executes when LDB_SUCCESS is returned.

Signed-off-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

diff --git a/source4/dsdb/samdb/ldb_modules/vlv_pagination.c b/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
index b389d3fd4f0b6c2935c0fa98a51b13458a340396..5a074cf7bcf04daaab9d4d1005070df9c62542e6 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
+++ b/source4/dsdb/samdb/ldb_modules/vlv_pagination.c
@@ -458,13 +458,26 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
                        ret = vlv_search_by_dn_guid(ac->module, ac, &result, guid,
                                                    ac->req->op.search.attrs);
 
-                       if (ret == LDAP_NO_SUCH_OBJECT
-                           || result->count != 1) {
+                       if (ret == LDAP_NO_SUCH_OBJECT) {
                                /*
                                 * The thing isn't there, which we quietly
                                 * ignore and go on to send an extra one
                                 * instead.
-                                *
+                                */
+                               if (last_i < ac->store->num_entries - 1) {
+                                       last_i++;
+                               }
+                               continue;
+                       } else if (ret != LDB_SUCCESS) {
+                               return ldb_module_done(
+                                       ac->req,
+                                       ac->controls,
+                                       response,
+                                       ret);
+                       }
+
+                       if (result->count != 1) {
+                               /*
                                 * result->count == 0 or > 1 can only
                                 * happen if ASQ (which breaks all the
                                 * rules) is somehow invoked (as this
@@ -477,12 +490,6 @@ static int vlv_results(struct vlv_context *ac, struct ldb_reply *ares)
                                        last_i++;
                                }
                                continue;
-                       } else if (ret != LDB_SUCCESS) {
-                               return ldb_module_done(
-                                       ac->req,
-                                       ac->controls,
-                                       response,
-                                       ret);
                        }
 
                        ret = ldb_module_send_entry(ac->req, result->msgs[0],