[PATCH] ldb: Fix index out of bound in ldb_msg_find_common_values
Douglas Bagnall
douglas.bagnall at catalyst.net.nz
Thu Jul 6 04:38:29 UTC 2017
On 06/07/17 10:05, Douglas Bagnall via samba-technical wrote:
> On 06/07/17 01:33, Lukas Slebodnik wrote:
>> - while (i != n_values) {
>> + while (i != n_values && j < el2->num_values) {
>> int ret = ldb_val_cmp(&values[i], &values2[j]);
>> if (ret < 0) {
>> i++;
>> } else if (ret > 0) {
>> j++;
>> - if (j == el2->num_values) {
>
> The problem was when el2 has no values, right? In which case we really
> don't want to be here to start with. Which I obviously failed to check
> and to test.
>
> We also need something like the attached patch. And a test or two, which
> I'll get onto.
>
Well, here I've added tests of zero length elements that exercises this
path, but they don't usually fail without the fix because out-of-bounds
reads are like that.
Can we get another reviewer?
cheers,
Douglas
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ldb-msg.patch
Type: text/x-patch
Size: 7637 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170706/e40f1848/ldb-msg.bin>
More information about the samba-technical
mailing list