File _service:tar_scm:backport-0008-CVE-2023-0614.patch of Package libldb

From 4f8b4ce403ff68ca26d33d7272276052829c96f7 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 3 Mar 2023 17:29:03 +1300
Subject: [PATCH 12/34] CVE-2023-0614 ldb: Add function to filter message in
 place

At present this function is an exact duplicate of ldb_filter_attrs(),
but in the next commit we shall modify it to work in place, without the
need for the allocation of a second message.

The test is a near duplicate of the existing test for
ldb_filter_attrs().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15270

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17821
---
 common/ldb_pack.c                     | 143 +++
 include/ldb_module.h                  |  10 +
 .../tests/ldb_filter_attrs_in_place_test.c    | 989 ++++++++++++++++++
 wscript                               |   6 +
 4 files changed, 1148 insertions(+)
 create mode 100644 tests/ldb_filter_attrs_in_place_test.c

diff --git a/common/ldb_pack.c b/common/ldb_pack.c
index b0b0d64a5ba..f19ac73fa5e 100644
--- a/common/ldb_pack.c
+++ b/common/ldb_pack.c
@@ -1262,6 +1262,149 @@ failed:
 	return -1;
 }
 
+/*
+ * filter the specified list of attributes from msg,
+ * adding requested attributes, and perhaps all for *,
+ * but not the DN to filtered_msg.
+ */
+int ldb_filter_attrs_in_place(struct ldb_context *ldb,
+		     const struct ldb_message *msg,
+		     const char *const *attrs,
+		     struct ldb_message *filtered_msg)
+{
+	unsigned int i;
+	bool keep_all = false;
+	bool add_dn = false;
+	uint32_t num_elements;
+	uint32_t elements_size;
+
+	if (attrs) {
+		/* check for special attrs */
+		for (i = 0; attrs[i]; i++) {
+			int cmp = strcmp(attrs[i], "*");
+			if (cmp == 0) {
+				keep_all = true;
+				break;
+			}
+			cmp = ldb_attr_cmp(attrs[i], "distinguishedName");
+			if (cmp == 0) {
+				add_dn = true;
+			}
+		}
+	} else {
+		keep_all = true;
+	}
+
+	if (keep_all) {
+		add_dn = true;
+		elements_size = msg->num_elements + 1;
+
+	/* Shortcuts for the simple cases */
+	} else if (add_dn && i == 1) {
+		if (ldb_msg_add_distinguished_name(filtered_msg) != 0) {
+			goto failed;
+		}
+		return 0;
+	} else if (i == 0) {
+		return 0;
+
+	/*
+	 * Otherwise we are copying at most as many elements as we
+	 * have attributes
+	 */
+	} else {
+		elements_size = i;
+	}
+
+	filtered_msg->elements = talloc_array(filtered_msg,
+					      struct ldb_message_element,
+					      elements_size);
+	if (filtered_msg->elements == NULL) goto failed;
+
+	num_elements = 0;
+
+	for (i = 0; i < msg->num_elements; i++) {
+		struct ldb_message_element *el = &msg->elements[i];
+
+		/*
+		 * el2 is assigned after the Pigeonhole principle
+		 * check below for clarity
+		 */
+		struct ldb_message_element *el2 = NULL;
+		unsigned int j;
+
+		if (keep_all == false) {
+			bool found = false;
+			for (j = 0; attrs[j]; j++) {
+				int cmp = ldb_attr_cmp(el->name, attrs[j]);
+				if (cmp == 0) {
+					found = true;
+					break;
+				}
+			}
+			if (found == false) {
+				continue;
+			}
+		}
+
+		/*
+		 * Pigeonhole principle: we can't have more elements
+		 * than the number of attributes if they are unique in
+		 * the DB.
+		 */
+		if (num_elements >= elements_size) {
+			goto failed;
+		}
+
+		el2 = &filtered_msg->elements[num_elements];
+
+		*el2 = *el;
+		el2->name = talloc_strdup(filtered_msg->elements,
+					  el->name);
+		if (el2->name == NULL) {
+			goto failed;
+		}
+		el2->values = talloc_array(filtered_msg->elements,
+					   struct ldb_val, el->num_values);
+		if (el2->values == NULL) {
+			goto failed;
+		}
+		for (j=0;j<el->num_values;j++) {
+			el2->values[j] = ldb_val_dup(el2->values, &el->values[j]);
+			if (el2->values[j].data == NULL && el->values[j].length != 0) {
+				goto failed;
+			}
+		}
+		num_elements++;
+	}
+
+	filtered_msg->num_elements = num_elements;
+
+	if (add_dn) {
+		if (ldb_msg_add_distinguished_name(filtered_msg) != 0) {
+			goto failed;
+		}
+	}
+
+	if (filtered_msg->num_elements > 0) {
+		filtered_msg->elements
+			= talloc_realloc(filtered_msg,
+					 filtered_msg->elements,
+					 struct ldb_message_element,
+					 filtered_msg->num_elements);
+		if (filtered_msg->elements == NULL) {
+			goto failed;
+		}
+	} else {
+		TALLOC_FREE(filtered_msg->elements);
+	}
+
+	return 0;
+failed:
+	TALLOC_FREE(filtered_msg->elements);
+	return -1;
+}
+
 /* Have an unpacked ldb message take talloc ownership of its elements. */
 int ldb_msg_elements_take_ownership(struct ldb_message *msg)
 {
diff --git a/include/ldb_module.h b/include/ldb_module.h
index 8c7f33496fb..105093cf38c 100644
--- a/include/ldb_module.h
+++ b/include/ldb_module.h
@@ -543,6 +543,16 @@ int ldb_filter_attrs(struct ldb_context *ldb,
 		     const char *const *attrs,
 		     struct ldb_message *filtered_msg);
 
+/*
+ * filter the specified list of attributes from msg,
+ * adding requested attributes, and perhaps all for *,
+ * but not the DN to filtered_msg.
+ */
+int ldb_filter_attrs_in_place(struct ldb_context *ldb,
+		     const struct ldb_message *msg,
+		     const char *const *attrs,
+		     struct ldb_message *filtered_msg);
+
 /* Have an unpacked ldb message take talloc ownership of its elements. */
 int ldb_msg_elements_take_ownership(struct ldb_message *msg);
 
diff --git a/tests/ldb_filter_attrs_in_place_test.c b/tests/ldb_filter_attrs_in_place_test.c
new file mode 100644
index 00000000000..bef961f8f9c
--- /dev/null
+++ b/tests/ldb_filter_attrs_in_place_test.c
@@ -0,0 +1,989 @@
+/*
+ * Tests exercising ldb_filter_attrs_in_place().
+ *
+ *
+ * Copyright (C) Catalyst.NET Ltd 2017
+ * Copyright (C) Andrew Bartlett <abartlet@samba.org> 2019
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+/*
+ * from cmocka.c:
+ * These headers or their equivalents should be included prior to
+ * including
+ * this header file.
+ *
+ * #include <stdarg.h>
+ * #include <stddef.h>
+ * #include <setjmp.h>
+ *
+ * This allows test applications to use custom definitions of C standard
+ * library functions and types.
+ */
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+#include <setjmp.h>
+#include <cmocka.h>
+
+#include "../include/ldb.h"
+#include "../include/ldb_module.h"
+
+struct ldbtest_ctx {
+	struct tevent_context *ev;
+	struct ldb_context *ldb;
+};
+
+/*
+ * NOTE WELL:
+ *
+ * This test checks the current behaviour of the function, however
+ * this is not in a public ABI and many of the tested behaviours are
+ * not ideal.  If the behaviour is deliberatly improved, this test
+ * should be updated without worry to the new better behaviour.
+ *
+ * In particular the test is particularly to ensure the current
+ * behaviour is memory-safe.
+ */
+
+static int setup(void **state)
+{
+	struct ldbtest_ctx *test_ctx;
+
+	test_ctx = talloc_zero(NULL, struct ldbtest_ctx);
+	assert_non_null(test_ctx);
+
+	test_ctx->ev = tevent_context_init(test_ctx);
+	assert_non_null(test_ctx->ev);
+
+	test_ctx->ldb = ldb_init(test_ctx, test_ctx->ev);
+	assert_non_null(test_ctx->ldb);
+
+	*state = test_ctx;
+	return 0;
+}
+
+static int teardown(void **state)
+{
+	talloc_free(*state);
+	return 0;
+}
+
+
+/*
+ * Test against a record with only one attribute, matching the one in
+ * the list
+ */
+static void test_filter_attrs_one_attr_matched(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *filtered_msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"foo", NULL};
+
+	char value[] = "The value.......end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
+	};
+	struct ldb_message_element element_1 = {
+		.name = "foo",
+		.num_values = 1,
+		.values = &value_1
+	};
+	struct ldb_message in = {
+		.dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"),
+		.num_elements = 1,
+		.elements = &element_1,
+	};
+
+	assert_non_null(in.dn);
+
+	ret = ldb_filter_attrs_in_place(ctx->ldb,
+			       &in,
+			       attrs,
+			       filtered_msg);
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_non_null(filtered_msg);
+
+	/*
+	 * assert the ldb_filter_attrs_in_place does not read or modify
+	 * filtered_msg.dn in this case
+	 */
+	assert_null(filtered_msg->dn);
+	assert_int_equal(filtered_msg->num_elements, 1);
+	assert_string_equal(filtered_msg->elements[0].name, "foo");
+	assert_int_equal(filtered_msg->elements[0].num_values, 1);
+	assert_int_equal(filtered_msg->elements[0].values[0].length,
+			 strlen(value));
+	assert_memory_equal(filtered_msg->elements[0].values[0].data,
+			    value, strlen(value));
+}
+
+/*
+ * Test against a record with only one attribute, matching the one of
+ * the multiple attributes in the list
+ */
+static void test_filter_attrs_one_attr_matched_of_many(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *filtered_msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"foo", "bar", "baz", NULL};
+
+	char value[] = "The value.......end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
+	};
+	struct ldb_message_element element_1 = {
+		.name = "foo",
+		.num_values = 1,
+		.values = &value_1
+	};
+	struct ldb_message in = {
+		.dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"),
+		.num_elements = 1,
+		.elements = &element_1,
+	};
+
+	assert_non_null(in.dn);
+
+	ret = ldb_filter_attrs_in_place(ctx->ldb,
+			       &in,
+			       attrs,
+			       filtered_msg);
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_non_null(filtered_msg);
+
+	/*
+	 * assert the ldb_filter_attrs_in_place does not read or modify
+	 * filtered_msg.dn in this case
+	 */
+	assert_null(filtered_msg->dn);
+	assert_int_equal(filtered_msg->num_elements, 1);
+	assert_string_equal(filtered_msg->elements[0].name, "foo");
+	assert_int_equal(filtered_msg->elements[0].num_values, 1);
+	assert_int_equal(filtered_msg->elements[0].values[0].length,
+			 strlen(value));
+	assert_memory_equal(filtered_msg->elements[0].values[0].data,
+			    value, strlen(value));
+}
+
+/*
+ * Test against a record with only one attribute, matching both
+ * attributes in the list
+ */
+static void test_filter_attrs_two_attr_matched_attrs(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *filtered_msg = ldb_msg_new(ctx);
+
+	/* deliberatly the other order */
+	const char *attrs[] = {"bar", "foo", NULL};
+
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
+	};
+	struct ldb_val value_2 = {
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
+	};
+
+	/* foo and bar are the other order to in attrs */
+	struct ldb_message_element elements[] = {
+		{
+			.name = "foo",
+			.num_values = 1,
+			.values = &value_1
+		},
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_2
+		}
+	};
+	struct ldb_message in = {
+		.dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"),
+		.num_elements = 2,
+		.elements = elements,
+	};
+
+	assert_non_null(in.dn);
+
+	ret = ldb_filter_attrs_in_place(ctx->ldb,
+			       &in,
+			       attrs,
+			       filtered_msg);
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_non_null(filtered_msg);
+	assert_int_equal(filtered_msg->num_elements, 2);
+
+	/*
+	 * assert the ldb_filter_attrs_in_place does not read or modify
+	 * filtered_msg.dn in this case
+	 */
+	assert_null(filtered_msg->dn);
+
+	/* Assert that DB order is preserved */
+	assert_string_equal(filtered_msg->elements[0].name, "foo");
+	assert_int_equal(filtered_msg->elements[0].num_values, 1);
+	assert_int_equal(filtered_msg->elements[0].values[0].length,
+			 strlen(value1));
+	assert_memory_equal(filtered_msg->elements[0].values[0].data,
+			    value1, strlen(value1));
+	assert_string_equal(filtered_msg->elements[1].name, "bar");
+	assert_int_equal(filtered_msg->elements[1].num_values, 1);
+	assert_int_equal(filtered_msg->elements[1].values[0].length,
+			 strlen(value2));
+	assert_memory_equal(filtered_msg->elements[1].values[0].data,
+			    value2, strlen(value2));
+}
+
+/*
+ * Test against a record with two attributes, only of which is in
+ * the list
+ */
+static void test_filter_attrs_two_attr_matched_one_attr(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *filtered_msg = ldb_msg_new(ctx);
+
+	/* deliberatly the other order */
+	const char *attrs[] = {"bar", NULL};
+
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
+	};
+	struct ldb_val value_2 = {
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
+	};
+
+	/* foo and bar are the other order to in attrs */
+	struct ldb_message_element elements[] = {
+		{
+			.name = "foo",
+			.num_values = 1,
+			.values = &value_1
+		},
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_2
+		}
+	};
+	struct ldb_message in = {
+		.dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"),
+		.num_elements = 2,
+		.elements = elements,
+	};
+
+	assert_non_null(in.dn);
+
+	ret = ldb_filter_attrs_in_place(ctx->ldb,
+			       &in,
+			       attrs,
+			       filtered_msg);
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_non_null(filtered_msg);
+	assert_int_equal(filtered_msg->num_elements, 1);
+
+	/*
+	 * assert the ldb_filter_attrs_in_place does not read or modify
+	 * filtered_msg.dn in this case
+	 */
+	assert_null(filtered_msg->dn);
+
+	/* Assert that DB order is preserved */
+	assert_string_equal(filtered_msg->elements[0].name, "bar");
+	assert_int_equal(filtered_msg->elements[0].num_values, 1);
+	assert_int_equal(filtered_msg->elements[0].values[0].length,
+			 strlen(value2));
+	assert_memory_equal(filtered_msg->elements[0].values[0].data,
+			    value2, strlen(value2));
+}
+
+/*
+ * Test against a record with two attributes, both matching the one
+ * specified attribute in the list (a corrupt record)
+ */
+static void test_filter_attrs_two_dup_attr_matched_one_attr(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *filtered_msg = ldb_msg_new(ctx);
+
+	/* deliberatly the other order */
+	const char *attrs[] = {"bar", NULL};
+
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
+	};
+	struct ldb_val value_2 = {
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
+	};
+
+	/* foo and bar are the other order to in attrs */
+	struct ldb_message_element elements[] = {
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_1
+		},
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_2
+		}
+	};
+	struct ldb_message in = {
+		.dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"),
+		.num_elements = 2,
+		.elements = elements,
+	};
+
+	assert_non_null(in.dn);
+
+	ret = ldb_filter_attrs_in_place(ctx->ldb,
+			       &in,
+			       attrs,
+			       filtered_msg);
+
+	/* This should fail the pidgenhole test */
+	assert_int_equal(ret, -1);
+	assert_null(filtered_msg->elements);
+}
+
+/*
+ * Test against a record with two attributes, both matching the one
+ * specified attribute in the list (a corrupt record)
+ */
+static void test_filter_attrs_two_dup_attr_matched_dup(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *filtered_msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"bar", "bar", NULL};
+
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
+	};
+	struct ldb_val value_2 = {
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
+	};
+
+	/* foo and bar are the other order to in attrs */
+	struct ldb_message_element elements[] = {
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_1
+		},
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_2
+		}
+	};
+	struct ldb_message in = {
+		.dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"),
+		.num_elements = 2,
+		.elements = elements,
+	};
+
+	assert_non_null(in.dn);
+
+	ret = ldb_filter_attrs_in_place(ctx->ldb,
+			       &in,
+			       attrs,
+			       filtered_msg);
+
+	/* This does not fail the pidgenhole test */
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_int_equal(filtered_msg->num_elements, 2);
+
+	/* Assert that DB order is preserved */
+	assert_string_equal(filtered_msg->elements[0].name, "bar");
+	assert_int_equal(filtered_msg->elements[0].num_values, 1);
+	assert_int_equal(filtered_msg->elements[0].values[0].length,
+			 strlen(value1));
+	assert_memory_equal(filtered_msg->elements[0].values[0].data,
+			    value1, strlen(value1));
+	assert_string_equal(filtered_msg->elements[1].name, "bar");
+	assert_int_equal(filtered_msg->elements[1].num_values, 1);
+	assert_int_equal(filtered_msg->elements[1].values[0].length,
+			 strlen(value2));
+	assert_memory_equal(filtered_msg->elements[1].values[0].data,
+			    value2, strlen(value2));
+}
+
+/*
+ * Test against a record with two attributes, both matching one of the
+ * specified attributes in the list (a corrupt record)
+ */
+static void test_filter_attrs_two_dup_attr_matched_one_of_two(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *filtered_msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"bar", "foo", NULL};
+
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
+	};
+	struct ldb_val value_2 = {
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
+	};
+
+	/* foo and bar are the other order to in attrs */
+	struct ldb_message_element elements[] = {
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_1
+		},
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_2
+		}
+	};
+	struct ldb_message in = {
+		.dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"),
+		.num_elements = 2,
+		.elements = elements,
+	};
+
+	assert_non_null(in.dn);
+
+	ret = ldb_filter_attrs_in_place(ctx->ldb,
+			       &in,
+			       attrs,
+			       filtered_msg);
+
+	/* This does not fail the pidgenhole test */
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_int_equal(filtered_msg->num_elements, 2);
+
+	/* Assert that DB order is preserved */
+	assert_string_equal(filtered_msg->elements[0].name, "bar");
+	assert_int_equal(filtered_msg->elements[0].num_values, 1);
+	assert_int_equal(filtered_msg->elements[0].values[0].length,
+			 strlen(value1));
+	assert_memory_equal(filtered_msg->elements[0].values[0].data,
+			    value1, strlen(value1));
+	assert_string_equal(filtered_msg->elements[1].name, "bar");
+	assert_int_equal(filtered_msg->elements[1].num_values, 1);
+	assert_int_equal(filtered_msg->elements[1].values[0].length,
+			 strlen(value2));
+	assert_memory_equal(filtered_msg->elements[1].values[0].data,
+			    value2, strlen(value2));
+}
+
+/*
+ * Test against a record with two attributes against * (but not the
+ * other named attribute) (a corrupt record)
+ */
+static void test_filter_attrs_two_dup_attr_matched_star(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *filtered_msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"*", "foo", NULL};
+
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
+	};
+	struct ldb_val value_2 = {
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
+	};
+
+	/* foo and bar are the other order to in attrs */
+	struct ldb_message_element elements[] = {
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_1
+		},
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_2
+		}
+	};
+	struct ldb_message in = {
+		.dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"),
+		.num_elements = 2,
+		.elements = elements,
+	};
+
+	assert_non_null(in.dn);
+
+	/* Needed as * implies distinguishedName */
+	filtered_msg->dn = in.dn;
+
+	ret = ldb_filter_attrs_in_place(ctx->ldb,
+			       &in,
+			       attrs,
+			       filtered_msg);
+
+	/* This does not fail the pidgenhole test */
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_int_equal(filtered_msg->num_elements, 3);
+
+	/* Assert that DB order is preserved */
+	assert_string_equal(filtered_msg->elements[0].name, "bar");
+	assert_int_equal(filtered_msg->elements[0].num_values, 1);
+	assert_int_equal(filtered_msg->elements[0].values[0].length,
+			 strlen(value1));
+	assert_memory_equal(filtered_msg->elements[0].values[0].data,
+			    value1, strlen(value1));
+	assert_string_equal(filtered_msg->elements[1].name, "bar");
+	assert_int_equal(filtered_msg->elements[1].num_values, 1);
+	assert_int_equal(filtered_msg->elements[1].values[0].length,
+			 strlen(value2));
+	assert_memory_equal(filtered_msg->elements[1].values[0].data,
+			    value2, strlen(value2));
+	/*
+	 * assert the ldb_filter_attrs_in_place does not modify filtered_msg.dn
+	 * in this case
+	 */
+	assert_ptr_equal(filtered_msg->dn, in.dn);
+	assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg,
+							"distinguishedName",
+							NULL),
+			    ldb_dn_get_linearized(in.dn));
+}
+
+/*
+ * Test against a record with only one attribute, matching the * in
+ * the list
+ */
+static void test_filter_attrs_one_attr_matched_star(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *filtered_msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"*", NULL};
+
+	char value[] = "The value.......end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
+	};
+	struct ldb_message_element element_1 = {
+		.name = "foo",
+		.num_values = 1,
+		.values = &value_1
+	};
+	struct ldb_message in = {
+		.dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"),
+		.num_elements = 1,
+		.elements = &element_1,
+	};
+
+	assert_non_null(in.dn);
+
+	/* Needed as * implies distinguishedName */
+	filtered_msg->dn = in.dn;
+
+	ret = ldb_filter_attrs_in_place(ctx->ldb,
+			       &in,
+			       attrs,
+			       filtered_msg);
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_non_null(filtered_msg);
+	assert_int_equal(filtered_msg->num_elements, 2);
+
+	/*
+	 * assert the ldb_filter_attrs_in_place does not modify filtered_msg.dn
+	 * in this case
+	 */
+	assert_ptr_equal(filtered_msg->dn, in.dn);
+	assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg,
+							"distinguishedName",
+							NULL),
+			    ldb_dn_get_linearized(in.dn));
+	assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg,
+							"foo",
+							NULL),
+			    value);
+}
+
+/*
+ * Test against a record with two attributes, matching the * in
+ * the list
+ */
+static void test_filter_attrs_two_attr_matched_star(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *filtered_msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"*", NULL};
+
+	char value1[] = "The value.......end";
+	char value2[] = "The value..MUST.end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value1,
+		.length = strlen(value1)
+	};
+	struct ldb_val value_2 = {
+		.data   = (uint8_t *)value2,
+		.length = strlen(value2)
+	};
+	struct ldb_message_element elements[] = {
+		{
+			.name = "foo",
+			.num_values = 1,
+			.values = &value_1
+		},
+		{
+			.name = "bar",
+			.num_values = 1,
+			.values = &value_2
+		}
+	};
+	struct ldb_message in = {
+		.dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"),
+		.num_elements = 2,
+		.elements = elements,
+	};
+
+	assert_non_null(in.dn);
+
+	/* Needed as * implies distinguishedName */
+	filtered_msg->dn = in.dn;
+
+	ret = ldb_filter_attrs_in_place(ctx->ldb,
+			       &in,
+			       attrs,
+			       filtered_msg);
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_non_null(filtered_msg);
+	assert_int_equal(filtered_msg->num_elements, 3);
+
+	/*
+	 * assert the ldb_filter_attrs_in_place does not modify filtered_msg.dn
+	 * in this case
+	 */
+	assert_ptr_equal(filtered_msg->dn, in.dn);
+	assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg,
+							"distinguishedName",
+							NULL),
+			    ldb_dn_get_linearized(in.dn));
+	assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg,
+							"foo",
+							NULL),
+			    value1);
+	assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg,
+							"bar",
+							NULL),
+			    value2);
+}
+
+/*
+ * Test against a record with only one attribute, matching the * in
+ * the list, but without the DN being pre-filled.  Fails due to need
+ * to contstruct the distinguishedName
+ */
+static void test_filter_attrs_one_attr_matched_star_no_dn(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *filtered_msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"*", NULL};
+
+	char value[] = "The value.......end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
+	};
+	struct ldb_message_element element_1 = {
+		.name = "foo",
+		.num_values = 1,
+		.values = &value_1
+	};
+	struct ldb_message in = {
+		.dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"),
+		.num_elements = 1,
+		.elements = &element_1,
+	};
+
+	assert_non_null(in.dn);
+
+	ret = ldb_filter_attrs_in_place(ctx->ldb,
+			       &in,
+			       attrs,
+			       filtered_msg);
+	assert_int_equal(ret, -1);
+	assert_null(filtered_msg->elements);
+}
+
+/*
+ * Test against a record with only one attribute, matching the * in
+ * the list plus requsesting distinguishedName
+ */
+static void test_filter_attrs_one_attr_matched_star_dn(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *filtered_msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"*", "distinguishedName", NULL};
+
+	char value[] = "The value.......end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
+	};
+	struct ldb_message_element element_1 = {
+		.name = "foo",
+		.num_values = 1,
+		.values = &value_1
+	};
+	struct ldb_message in = {
+		.dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"),
+		.num_elements = 1,
+		.elements = &element_1,
+	};
+
+	assert_non_null(in.dn);
+
+	/* Needed for distinguishedName */
+	filtered_msg->dn = in.dn;
+
+	ret = ldb_filter_attrs_in_place(ctx->ldb,
+			       &in,
+			       attrs,
+			       filtered_msg);
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_non_null(filtered_msg);
+	assert_int_equal(filtered_msg->num_elements, 2);
+
+	/* show that ldb_filter_attrs_in_place does not modify in.dn */
+	assert_ptr_equal(filtered_msg->dn, in.dn);
+
+	assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg,
+							"distinguishedName",
+							NULL),
+			    ldb_dn_get_linearized(in.dn));
+	assert_string_equal(ldb_msg_find_attr_as_string(filtered_msg,
+							"foo",
+							NULL),
+			    value);
+}
+
+/*
+ * Test against a record with only one attribute, but returning
+ * distinguishedName from the list (only)
+ */
+static void test_filter_attrs_one_attr_matched_dn(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *filtered_msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {"distinguishedName", NULL};
+
+	char value[] = "The value.......end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
+	};
+	struct ldb_message_element element_1 = {
+		.name = "foo",
+		.num_values = 1,
+		.values = &value_1
+	};
+	struct ldb_message in = {
+		.dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"),
+		.num_elements = 1,
+		.elements = &element_1,
+	};
+
+	assert_non_null(in.dn);
+
+	/* Needed for distinguishedName */
+	filtered_msg->dn = in.dn;
+
+	ret = ldb_filter_attrs_in_place(ctx->ldb,
+			       &in,
+			       attrs,
+			       filtered_msg);
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_non_null(filtered_msg);
+	assert_int_equal(filtered_msg->num_elements, 1);
+
+	/* show that ldb_filter_attrs_in_place does not modify in.dn */
+	assert_ptr_equal(filtered_msg->dn, in.dn);
+	assert_string_equal(filtered_msg->elements[0].name, "distinguishedName");
+	assert_int_equal(filtered_msg->elements[0].num_values, 1);
+	assert_string_equal(filtered_msg->elements[0].values[0].data,
+			    ldb_dn_get_linearized(in.dn));
+}
+
+/*
+ * Test against a record with only one attribute, not matching the
+ * empty attribute list
+ */
+static void test_filter_attrs_one_attr_empty_list(void **state)
+{
+	struct ldbtest_ctx *ctx = *state;
+	int ret;
+
+	struct ldb_message *filtered_msg = ldb_msg_new(ctx);
+
+	const char *attrs[] = {NULL};
+
+	char value[] = "The value.......end";
+	struct ldb_val value_1 = {
+		.data   = (uint8_t *)value,
+		.length = strlen(value)
+	};
+	struct ldb_message_element element_1 = {
+		.name = "foo",
+		.num_values = 1,
+		.values = &value_1
+	};
+	struct ldb_message in = {
+		.dn = ldb_dn_new(ctx, ctx->ldb, "dc=samba,dc=org"),
+		.num_elements = 1,
+		.elements = &element_1,
+	};
+
+	assert_non_null(in.dn);
+
+	ret = ldb_filter_attrs_in_place(ctx->ldb,
+			       &in,
+			       attrs,
+			       filtered_msg);
+	assert_int_equal(ret, LDB_SUCCESS);
+	assert_non_null(filtered_msg);
+	assert_int_equal(filtered_msg->num_elements, 0);
+	assert_null(filtered_msg->dn);
+	assert_null(filtered_msg->elements);
+}
+
+int main(int argc, const char **argv)
+{
+	const struct CMUnitTest tests[] = {
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_one_attr_matched,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_one_attr_matched_of_many,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_two_attr_matched_attrs,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_two_attr_matched_one_attr,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_two_dup_attr_matched_one_attr,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_two_dup_attr_matched_dup,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_two_dup_attr_matched_one_of_two,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_two_dup_attr_matched_star,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_one_attr_matched_star,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_two_attr_matched_star,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_one_attr_matched_star_no_dn,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_one_attr_matched_star_dn,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_one_attr_matched_dn,
+			setup,
+			teardown),
+		cmocka_unit_test_setup_teardown(
+			test_filter_attrs_one_attr_empty_list,
+			setup,
+			teardown),
+	};
+
+	return cmocka_run_group_tests(tests, NULL, NULL);
+}
diff --git a/wscript b/wscript
index c862229822d..7e02309c1d5 100644
--- a/wscript
+++ b/wscript
@@ -518,6 +518,11 @@ def build(bld):
                          deps='cmocka ldb ldb_tdb_err_map',
                          install=False)
 
+        bld.SAMBA_BINARY('ldb_filter_attrs_in_place_test',
+                         source='tests/ldb_filter_attrs_in_place_test.c',
+                         deps='cmocka ldb ldb_tdb_err_map',
+                         install=False)
+
         bld.SAMBA_BINARY('ldb_key_value_sub_txn_tdb_test',
                          bld.SUBDIR('ldb_key_value',
                              '''ldb_kv_search.c
@@ -638,6 +643,7 @@ def test(ctx):
                  # 'ldb_key_value_sub_txn_tdb_test'
                  'ldb_parse_test',
                  'ldb_filter_attrs_test',
+                 'ldb_filter_attrs_in_place_test',
                  ]
 
     # if LIB_LDAP and LIB_LBER defined, then we can test ldb_ldap backend
-- 
2.25.1