From c7f8bac84bd8865c4a3b210e881310e547321e0d Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Fri, 11 Dec 2020 16:30:35 +1300
Subject: [PATCH 1/2] POC crash for ldb_dn_expode

$ make -j
$ valgrind bin/default/lib/ldb/explode_ldb_dn_explode
==1732366== Memcheck, a memory error detector
==1732366== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==1732366== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info
==1732366== Command: bin/default/lib/ldb/explode_ldb_dn_explode
==1732366==
==1732366== Invalid write of size 1
==1732366==    at 0x48667CE: ldb_dn_explode (ldb_dn.c:722)
==1732366==    by 0x48669DA: ldb_dn_validate (ldb_dn.c:754)
==1732366==    by 0x1091E0: main (explode_ldb_dn_explode.c:12)
==1732366==  Address 0x4c157a7 is 9 bytes before a block of size 211 alloc'd
==1732366==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
==1732366==    by 0x4AD2365: __talloc_with_prefix (talloc.c:783)
==1732366==    by 0x4AD24FF: __talloc (talloc.c:825)
==1732366==    by 0x4AD299C: _talloc_named_const (talloc.c:982)
==1732366==    by 0x4AD6B26: _talloc_array (talloc.c:2763)
==1732366==    by 0x4865B71: ldb_dn_explode (ldb_dn.c:343)
==1732366==    by 0x48669DA: ldb_dn_validate (ldb_dn.c:754)
==1732366==    by 0x1091E0: main (explode_ldb_dn_explode.c:12)
==1732366==


Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 lib/ldb/tests/explode_ldb_dn_explode.c | 14 ++++++++++++++
 lib/ldb/wscript                        |  5 +++++
 2 files changed, 19 insertions(+)
 create mode 100644 lib/ldb/tests/explode_ldb_dn_explode.c

diff --git a/lib/ldb/tests/explode_ldb_dn_explode.c b/lib/ldb/tests/explode_ldb_dn_explode.c
new file mode 100644
index 00000000000..51d9ba36a2a
--- /dev/null
+++ b/lib/ldb/tests/explode_ldb_dn_explode.c
@@ -0,0 +1,14 @@
+#include "includes.h"
+#include "ldb.h"
+
+int main(int argc, char * argv[])
+{
+	const char *str_dn = ("a=b                                   "
+			      "                                      "
+			      "                                  ,c= ");
+
+	struct ldb_context *ldb = ldb_init(NULL, NULL);
+	struct ldb_dn *dn = ldb_dn_new(ldb, ldb, str_dn);
+	ldb_dn_validate(dn);
+	return 0;
+}
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index f374f64aeab..027d55c187e 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -497,6 +497,11 @@ def build(bld):
                          deps='cmocka ldb',
                          install=False)
 
+        bld.SAMBA_BINARY('explode_ldb_dn_explode',
+                         source='tests/explode_ldb_dn_explode.c',
+                         deps='ldb',
+                         install=False)
+
         bld.SAMBA_BINARY('ldb_match_test',
                          source='tests/ldb_match_test.c',
                          deps='cmocka ldb',
-- 
2.25.1