From 62b56dc2db5285a55d1abc3a849db8fd96e0ac8f Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Sat, 21 Jul 2007 10:14:46 +0000
Subject: r23982: Fix use-after-realloc() found by valgrind and
 mwallnoefer@yahoo.de.

Should fix bug #4804.

Andrew Bartlett
(This used to be commit 848336dc617b72d189fe82e10c0b08a518d6d073)
---
 source4/dsdb/samdb/ldb_modules/kludge_acl.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'source4/dsdb')

diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
index 3aca12de5f..68ab3880e5 100644
--- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c
+++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c
@@ -115,7 +115,7 @@ struct kludge_acl_context {
 static int kludge_acl_allowedAttributes(struct ldb_context *ldb, struct ldb_message *msg,
 							 const char *attrName) 
 {
-	struct ldb_message_element *oc_el = ldb_msg_find_element(msg, "objectClass");
+	struct ldb_message_element *oc_el;
 	struct ldb_message_element *allowedAttributes;
 	const struct dsdb_schema *schema = dsdb_get_schema(ldb);
 	const struct dsdb_class *class;
@@ -125,6 +125,10 @@ static int kludge_acl_allowedAttributes(struct ldb_context *ldb, struct ldb_mess
 		return ret;
 	}
 	
+	/* To ensure that oc_el is valid, we must look for it after 
+	   we alter the element array in ldb_msg_add_empty() */
+	oc_el = ldb_msg_find_element(msg, "objectClass");
+
 	for (i=0; i < oc_el->num_values; i++) {
 		class = dsdb_class_by_lDAPDisplayName(schema, (const char *)oc_el->values[i].data);
 		if (!class) {
-- 
cgit