From 5b20af988c319f389e29db0a47d552c5f68aed58 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <tridge@samba.org>
Date: Fri, 11 Sep 2009 18:00:42 +1000
Subject: s4-ldb: don't remove a message element beyond the end of the array

---
 source4/lib/ldb/common/ldb_msg.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'source4/lib/ldb/common')

diff --git a/source4/lib/ldb/common/ldb_msg.c b/source4/lib/ldb/common/ldb_msg.c
index 8d0fa313a0..702978a361 100644
--- a/source4/lib/ldb/common/ldb_msg.c
+++ b/source4/lib/ldb/common/ldb_msg.c
@@ -739,6 +739,10 @@ int ldb_msg_copy_attr(struct ldb_message *msg, const char *attr, const char *rep
 void ldb_msg_remove_element(struct ldb_message *msg, struct ldb_message_element *el)
 {
 	int n = (el - msg->elements);
+	if (n >= msg->num_elements) {
+		/* should we abort() here? */
+		return;
+	}
 	if (n != msg->num_elements-1) {
 		memmove(el, el+1, ((msg->num_elements-1) - n)*sizeof(*el));
 	}
-- 
cgit