From b7f9e85db13c8a6959b7c391efdaa3c723d2772e Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 23 Jul 2007 01:46:39 +0000
Subject: r23993: Attempt to fix bug #4808, reported by mwallnoefer@yahoo.de. 
 The issue is that when we all ldb_msg_add_empty(), we might realloc() the
 msg->elements array.  We need to ensure the source pointer (when copying an
 element from the same msg) is still valid, or the data copied.

Andrew Bartlett
(This used to be commit 0fbea30577233d00e7c6cdd4faaece0f99fc57b1)
---
 source4/lib/ldb/common/ldb_msg.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/source4/lib/ldb/common/ldb_msg.c b/source4/lib/ldb/common/ldb_msg.c
index 69a2ab749b..e9c04df55a 100644
--- a/source4/lib/ldb/common/ldb_msg.c
+++ b/source4/lib/ldb/common/ldb_msg.c
@@ -162,11 +162,14 @@ int ldb_msg_add(struct ldb_message *msg,
 		const struct ldb_message_element *el, 
 		int flags)
 {
+	/* We have to copy this, just in case *el is a pointer into
+	 * what ldb_msg_add_empty() is about to realloc() */
+	struct ldb_message_element el_copy = *el;
 	if (ldb_msg_add_empty(msg, el->name, flags, NULL) != 0) {
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
-	msg->elements[msg->num_elements-1] = *el;
+	msg->elements[msg->num_elements-1] = el_copy;
 	msg->elements[msg->num_elements-1].flags = flags;
 
 	return LDB_SUCCESS;
-- 
cgit