ldb bug fixes

Volker Lendecke Volker.Lendecke at SerNet.DE
Thu Nov 19 07:25:48 UTC 2015 

On Thu, Nov 19, 2015 at 04:18:16PM +1300, Adrian Cochrane wrote:
> I caught and fixed a bug in LDB. This bug corrupted LDB database
> searches when that database contained an empty DN record.
> 
> I've attached my fix, please review.

> From 34cf7347a9d35254f70bc7455c4ac2a591573652 Mon Sep 17 00:00:00 2001
> From: Adrian Cochrane <adrianc at catalyst.net.nz>
> Date: Wed, 18 Nov 2015 15:25:20 +1300
> Subject: [PATCH] ldb: Fix bug triggered by having an empty message in database
>  during search.
> 
> Previously if the message had 0 elements, Talloc would reallocate the projected
> array to NULL, fooling LDB into thinking that it failed to reallocate. This fix

Does talloc_array(ptr, size, 0) really return NULL? I think
it should not.

> corrects LDB to be able to handle the case where the message has no attributes
> in common with the filter.
> 
> Also the realloc call resized the array to the number of elements in the message,
> not the number of elements in common with the filter -- it essentially did nothing.
> 
> Signed-off-by: Adrian Cochrane <adrianc at catalyst.net.nz>
> ---
>  lib/ldb/ldb_tdb/ldb_search.c | 14 +++++++++++---
>  lib/ldb/tests/python/api.py  | 29 +++++++++++++++++++++++++----
>  2 files changed, 36 insertions(+), 7 deletions(-)
> 
> diff --git a/lib/ldb/ldb_tdb/ldb_search.c b/lib/ldb/ldb_tdb/ldb_search.c
> index 1e7e7ea..7055af1 100644
> --- a/lib/ldb/ldb_tdb/ldb_search.c
> +++ b/lib/ldb/ldb_tdb/ldb_search.c
> @@ -407,10 +407,18 @@ int ltdb_filter_attrs(struct ldb_message *msg, const char * const *attrs)
>  	}
>  
>  	talloc_free(msg->elements);
> -	msg->elements = talloc_realloc(msg, el2, struct ldb_message_element, msg->num_elements);
> -	if (msg->elements == NULL) {
> -		return -1;
> +
> +	if (num_elements == 0) {
> +		msg->elements = NULL;
> +		talloc_free(el2);

Do you really want to set msg->elements to NULL? This is in
line with num_elements==0, but a non-NULL pointer might be
safer. On the other hand, a NULL pointer will point out bugs
quicker.

> +	} else if (num_elements > 0) {

num_elements is unsigned, isn't this if clause redundant?

> +		msg->elements = talloc_realloc(msg, el2, struct ldb_message_element,
> +					       num_elements);
> +		if (msg->elements == NULL) {
> +			return -1;
> +		}
>  	}
> +

A simpler patch might be a one-liner to just realloc to
num_elements instead of msg->num_elements.

>  	msg->num_elements = num_elements;

... or move this line up a bit :-)

Volker

-- 
SerNet GmbH, Bahnhofsallee 1b, 37081 Göttingen
phone: +49-551-370000-0, fax: +49-551-370000-9
AG Göttingen, HRB 2816, GF: Dr. Johannes Loxen
http://www.sernet.de, mailto:kontakt at sernet.de

More information about the samba-technical mailing list