s4-ldb: don't remove a message element beyond the end of the array

author Andrew Tridgell <tridge@samba.org>

Fri, 11 Sep 2009 08:00:42 +0000 (18:00 +1000)

committer Andrew Tridgell <tridge@samba.org>

Fri, 11 Sep 2009 08:02:04 +0000 (18:02 +1000)
author Andrew Tridgell <tridge@samba.org>
Fri, 11 Sep 2009 08:00:42 +0000 (18:00 +1000)
committer Andrew Tridgell <tridge@samba.org>
Fri, 11 Sep 2009 08:02:04 +0000 (18:02 +1000)
diff --git a/source4/lib/ldb/common/ldb_msg.c b/source4/lib/ldb/common/ldb_msg.c

index 8d0fa313a009280e18b9e951889bdb5538227bda..702978a3611e1d78e315b294b260e63c93d802f0 100644 (file)
--- a/source4/lib/ldb/common/ldb_msg.c
+++ b/source4/lib/ldb/common/ldb_msg.c
@@ -739,6 +739,10 @@ int ldb_msg_copy_attr(struct ldb_message *msg, const char *attr, const char *rep
  void ldb_msg_remove_element(struct ldb_message *msg, struct ldb_message_element *el)
  {
         int n = (el - msg->elements);
+       if (n >= msg->num_elements) {
+               /* should we abort() here? */
+               return;
+       }
         if (n != msg->num_elements-1) {
                 memmove(el, el+1, ((msg->num_elements-1) - n)*sizeof(*el));
         }
author	Andrew Tridgell <tridge@samba.org>
	Fri, 11 Sep 2009 08:00:42 +0000 (18:00 +1000)
committer	Andrew Tridgell <tridge@samba.org>
	Fri, 11 Sep 2009 08:02:04 +0000 (18:02 +1000)