diff options
author | Jeremy Allison <jra@samba.org> | 2003-04-10 19:08:42 +0000 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2003-04-10 19:08:42 +0000 |
commit | ba9f9afe8b6ca8c008ac8f97c43d896e1cbc4b91 (patch) | |
tree | 8e6ef0951d9b8aed585624eac210b112bf3c0106 | |
parent | ac65d890703c85fe69e2c577061087b8da2a4a93 (diff) | |
download | samba-ba9f9afe8b6ca8c008ac8f97c43d896e1cbc4b91.tar.gz samba-ba9f9afe8b6ca8c008ac8f97c43d896e1cbc4b91.tar.bz2 samba-ba9f9afe8b6ca8c008ac8f97c43d896e1cbc4b91.zip |
Fix from Andrew Esh to ensure tdb_pack can't segfault.
Also stop it leaking memory like a sieve !
Jeremy.
(This used to be commit 11b914ed84c4dbd31726969b3b924f686f938510)
-rw-r--r-- | source3/tdb/tdbutil.c | 21 |
1 files changed, 12 insertions, 9 deletions
diff --git a/source3/tdb/tdbutil.c b/source3/tdb/tdbutil.c index b153d442bd..69b282cda0 100644 --- a/source3/tdb/tdbutil.c +++ b/source3/tdb/tdbutil.c @@ -42,7 +42,7 @@ static void gotalarm_sig(void) static TDB_DATA make_tdb_data(const char *dptr, size_t dsize) { TDB_DATA ret; - ret.dptr = smb_xstrdup(dptr); + ret.dptr = dptr; ret.dsize = dsize; return ret; } @@ -406,47 +406,47 @@ size_t tdb_pack(char *buf, int bufsize, const char *fmt, ...) case 'b': /* unsigned 8-bit integer */ len = 1; bt = (uint8)va_arg(ap, int); - if (bufsize >= len) + if (bufsize && bufsize >= len) SSVAL(buf, 0, bt); break; case 'w': /* unsigned 16-bit integer */ len = 2; w = (uint16)va_arg(ap, int); - if (bufsize >= len) + if (bufsize && bufsize >= len) SSVAL(buf, 0, w); break; case 'd': /* signed 32-bit integer (standard int in most systems) */ len = 4; d = va_arg(ap, uint32); - if (bufsize >= len) + if (bufsize && bufsize >= len) SIVAL(buf, 0, d); break; case 'p': /* pointer */ len = 4; p = va_arg(ap, void *); d = p?1:0; - if (bufsize >= len) + if (bufsize && bufsize >= len) SIVAL(buf, 0, d); break; case 'P': /* null-terminated string */ s = va_arg(ap,char *); w = strlen(s); len = w + 1; - if (bufsize >= len) + if (bufsize && bufsize >= len) memcpy(buf, s, len); break; case 'f': /* null-terminated string */ s = va_arg(ap,char *); w = strlen(s); len = w + 1; - if (bufsize >= len) + if (bufsize && bufsize >= len) memcpy(buf, s, len); break; case 'B': /* fixed-length string */ i = va_arg(ap, int); s = va_arg(ap, char *); len = 4+i; - if (bufsize >= len) { + if (bufsize && bufsize >= len) { SIVAL(buf, 0, i); memcpy(buf+4, s, i); } @@ -459,7 +459,10 @@ size_t tdb_pack(char *buf, int bufsize, const char *fmt, ...) } buf += len; - bufsize -= len; + if (bufsize) + bufsize -= len; + if (bufsize < 0) + bufsize = 0; } va_end(ap); |