summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Adam <obnox@samba.org>2011-09-29 18:06:56 +0200
committerMichael Adam <obnox@samba.org>2011-10-02 01:26:04 +0200
commit95bb2c23e6e9c52a1e34916dff05b1d306278bc6 (patch)
tree648aad9dc06e630ac450cb43726be68f761eb51d
parentb9da4235566ffdd649d7b4a6ca05cecd02cfbd20 (diff)
downloadsamba-95bb2c23e6e9c52a1e34916dff05b1d306278bc6.tar.gz
samba-95bb2c23e6e9c52a1e34916dff05b1d306278bc6.tar.bz2
samba-95bb2c23e6e9c52a1e34916dff05b1d306278bc6.zip
s3:registry: fix the test for a REG_SZ blob possibly being a zero terminated ucs2 string
1. catch data blobs with odd number of bytes (not an ucs2 string at all) 2. test the right ucs2 character to be 0 (prevent out-of bounds access/potential segfault) Autobuild-User: Michael Adam <obnox@samba.org> Autobuild-Date: Sun Oct 2 01:26:05 CEST 2011 on sn-devel-104
-rw-r--r--source3/registry/reg_format.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/source3/registry/reg_format.c b/source3/registry/reg_format.c
index 77a27fcc0a..db03961919 100644
--- a/source3/registry/reg_format.c
+++ b/source3/registry/reg_format.c
@@ -329,7 +329,16 @@ done:
static bool is_zero_terminated_ucs2(const uint8_t* data, size_t len) {
const size_t idx = len/sizeof(smb_ucs2_t);
const smb_ucs2_t *str = (const smb_ucs2_t*)data;
- return (idx > 0) && (str[idx] == 0);
+
+ if ((len % sizeof(smb_ucs2_t)) != 0) {
+ return false;
+ }
+
+ if (idx == 0) {
+ return false;
+ }
+
+ return (str[idx-1] == 0);
}
int reg_format_value(struct reg_format* f, const char* name, uint32_t type,