From 8f56be2ce8c0e6a4b0f6f5e45b9d2d20a9274907 Mon Sep 17 00:00:00 2001
From: Howard Chu <hyc@openldap.org>
Date: Wed, 7 Nov 2007 04:58:07 +0000
Subject: [PATCH] ITS#5146 better check for single val in modify

---
 servers/slapd/overlays/ppolicy.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/servers/slapd/overlays/ppolicy.c b/servers/slapd/overlays/ppolicy.c
index e126598055..6b7668bf56 100644
--- a/servers/slapd/overlays/ppolicy.c
+++ b/servers/slapd/overlays/ppolicy.c
@@ -1559,8 +1559,6 @@ ppolicy_modify( Operation *op, SlapReply *rs )
 			if ((ml->sml_op == LDAP_MOD_ADD) ||
 				(ml->sml_op == LDAP_MOD_REPLACE))
 			{
-				addmod = ml;
-
 				/* FIXME: there's no easy way to ensure
 				 * that add does not cause multiple
 				 * userPassword values; one way (that 
@@ -1572,13 +1570,15 @@ ppolicy_modify( Operation *op, SlapReply *rs )
 				 * Let's check at least that a single value
 				 * is being added
 				 */
-				assert( addmod->sml_values != NULL );
-				assert( !BER_BVISNULL( &addmod->sml_values[ 0 ] ) );
-				if ( !BER_BVISNULL( &addmod->sml_values[ 1 ] ) ) {
+				assert( ml->sml_values != NULL );
+				assert( !BER_BVISNULL( &ml->sml_values[ 0 ] ) );
+				if ( !BER_BVISNULL( addmod || &ml->sml_values[ 1 ] ) ) {
 					rs->sr_err = LDAP_CONSTRAINT_VIOLATION; 
 					rs->sr_text = "Password policy only allows one password value";
 					goto return_results;
 				}
+
+				addmod = ml;
 			}
 
 		} else if ( !is_at_operational( ml->sml_desc->ad_type ) ) {
-- 
2.39.5