From 06a02cb88c88c0ba9af5a2eeba722c0b5878cccd Mon Sep 17 00:00:00 2001 From: Douglas Bagnall Date: Mon, 8 Apr 2019 10:33:07 +1200 Subject: [PATCH] ldb_msg: remove_element() checks element array bounds Previously we half-heartedly checked one end. Signed-off-by: Douglas Bagnall Reviewed-by: Andrew Bartlett --- lib/ldb/common/ldb_msg.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/ldb/common/ldb_msg.c b/lib/ldb/common/ldb_msg.c index b51e4b1059e..2346e66ec39 100644 --- a/lib/ldb/common/ldb_msg.c +++ b/lib/ldb/common/ldb_msg.c @@ -1222,14 +1222,14 @@ int ldb_msg_copy_attr(struct ldb_message *msg, const char *attr, const char *rep void ldb_msg_remove_element(struct ldb_message *msg, struct ldb_message_element *el) { ptrdiff_t n = (el - msg->elements); - if (n >= msg->num_elements) { - /* should we abort() here? */ + if (n >= msg->num_elements || n < 0) { + /* the element is not in the list. the caller is crazy. */ return; } - if (n != msg->num_elements-1) { - memmove(el, el+1, ((msg->num_elements-1) - n)*sizeof(*el)); - } msg->num_elements--; + if (n != msg->num_elements) { + memmove(el, el+1, (msg->num_elements - n)*sizeof(*el)); + } }