r23993: Attempt to fix bug #4808, reported by mwallnoefer@yahoo.de. The issue

is that when we all ldb_msg_add_empty(), we might realloc() the
msg->elements array.  We need to ensure the source pointer (when
copying an element from the same msg) is still valid, or the data
copied.

Andrew Bartlett

diff --git a/source/lib/ldb/common/ldb_msg.c b/source/lib/ldb/common/ldb_msg.c
index 513a4de1f81a183864c3d91a110fac2d4d054beb..9daace65c58ff41fd0b7d974a38595d18868595c 100644 (file)
--- a/source/lib/ldb/common/ldb_msg.c
+++ b/source/lib/ldb/common/ldb_msg.c
@@ -151,11 +151,14 @@ int ldb_msg_add(struct ldb_message *msg,
                const struct ldb_message_element *el, 
                int flags)
 {
+       /* We have to copy this, just in case *el is a pointer into
+        * what ldb_msg_add_empty() is about to realloc() */
+       struct ldb_message_element el_copy = *el;
        if (ldb_msg_add_empty(msg, el->name, flags) != 0) {
                return -1;
        }
 
-       msg->elements[msg->num_elements-1] = *el;
+       msg->elements[msg->num_elements-1] = el_copy;
        msg->elements[msg->num_elements-1].flags = flags;
 
        return 0;