git.samba.org - samba.git/commit

author	Andreas Schneider <asn@samba.org>
	Tue, 30 Apr 2024 12:27:54 +0000 (14:27 +0200)
committer	Volker Lendecke <vl@samba.org>
	Tue, 30 Apr 2024 14:30:34 +0000 (14:30 +0000)
commit	17dd13bb4bc9bd38f663c376ee73de6598715da7
tree	7b20f3ba45ab0d854035fa6ab65e29eadd8e98d6	tree
parent	82b07bd048e8039896be7edec6b83cbd6ff218d9	commit \| diff

lib:ldb: Add missing overflow check in ldb_msg_normalize()

Error: INTEGER_OVERFLOW (CWE-190):
ldb-2.9.0/common/ldb_msg.c:1235: tainted_data_argument: The check "i < msg2->num_elements" contains the tainted expression "i" which causes "msg2->num_elements" to be considered tainted.
ldb-2.9.0/common/ldb_msg.c:1253: overflow: The expression "msg2->num_elements - (i + 1U)" is deemed underflowed because at least one of its arguments has underflowed.
ldb-2.9.0/common/ldb_msg.c:1253: overflow: The expression "32UL * (msg2->num_elements - (i + 1U))" is deemed underflowed because at least one of its arguments has underflowed.
ldb-2.9.0/common/ldb_msg.c:1253: overflow_sink: "32UL * (msg2->num_elements - (i + 1U))", which might have underflowed, is passed to "memmove(el2, el2 + 1, 32UL * (msg2->num_elements - (i + 1U)))". [Note: The source code implementation of the function has been overridden by a builtin model.]
  1251|                           talloc_free(discard_const_p(char, el2->name));
  1252|                           if ((i+1) < msg2->num_elements) {
  1253|->                                 memmove(el2, el2+1, sizeof(struct ldb_message_element) *
  1254|                                           (msg2->num_elements - (i+1)));
  1255|                           }

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>