>From dc44853a1c8ab5fcc570453b7241c5f437c18475 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 2 Sep 2014 09:48:34 +1200
Subject: [PATCH] dsdb: Do not attempt to return beyond the end of the password
 history array

Found by AddressSanitizer

Change-Id: I82e35aea60726053c79510ba8ed3eedfaf553eb7
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/dsdb/common/util.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index 409191d..a892f2d 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -570,7 +570,7 @@ NTSTATUS samdb_result_passwords_from_history(TALLOC_CTX *mem_ctx,
 	if (nt_pwd) {
 		unsigned int num_nt;
 		num_nt = samdb_result_hashes(mem_ctx, msg, "ntPwdHistory", &ntPwdHash);
-		if (num_nt < idx) {
+		if (num_nt <= idx) {
 			*nt_pwd = NULL;
 		} else {
 			*nt_pwd = &ntPwdHash[idx];
@@ -583,7 +583,7 @@ NTSTATUS samdb_result_passwords_from_history(TALLOC_CTX *mem_ctx,
 		if (lpcfg_lanman_auth(lp_ctx)) {
 			unsigned int num_lm;
 			num_lm = samdb_result_hashes(mem_ctx, msg, "lmPwdHistory", &lmPwdHash);
-			if (num_lm < idx) {
+			if (num_lm <= idx) {
 				*lm_pwd = NULL;
 			} else {
 				*lm_pwd = &lmPwdHash[idx];
-- 
2.1.0