From 3cb4073cd0e24c8082d71d569a67a344af0f8cba Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 19 Jun 2024 11:33:00 +0200 Subject: [PATCH] s4:dsdb: Avoid possible underflows with new_len Found by Covscan. "Error: INTEGER_OVERFLOW (CWE-190): samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:403: tainted_data_argument: The check ""i < new_len"" contains the tainted expression ""i"" which causes ""new_len"" to be considered tainted. samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow: The expression ""new_len - i"" is deemed underflowed because at least one of its arguments has underflowed. samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow: The expression ""(new_len - i) * 8UL"" is deemed underflowed because at least one of its arguments has underflowed. samba-4.20.0rc2/source4/dsdb/schema/schema_query.c:407: overflow_sink: ""(new_len - i) * 8UL"", which might have underflowed, is passed to ""memmove(val1, val2, (new_len - i) * 8UL)"". [Note: The source code implementation of the function has been overridden by a builtin model.] 405| const char **val2 = &attr_list[i]; 406| if (ldb_attr_cmp(*val1, *val2) == 0) { 407|-> memmove(val1, val2, (new_len - i) * sizeof( *attr_list)); 408| attr_list[new_len-1] = NULL; 409| new_len--;" Signed-off-by: Andreas Schneider Reviewed-by: Signed-off-by: Martin Schwenke --- source4/dsdb/schema/schema_query.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source4/dsdb/schema/schema_query.c b/source4/dsdb/schema/schema_query.c index da491d5aae9..aa906d03d4b 100644 --- a/source4/dsdb/schema/schema_query.c +++ b/source4/dsdb/schema/schema_query.c @@ -402,7 +402,7 @@ static const char **dedup_attr_list(const char **attr_list) size_t i; TYPESAFE_QSORT(attr_list, new_len, qsort_string); - for (i=1; i < new_len; i++) { + for (i=1; new_len > 0 && i < new_len; i++) { const char **val1 = &attr_list[i-1]; const char **val2 = &attr_list[i]; if (ldb_attr_cmp(*val1, *val2) == 0) {