s3:registry: fix invalid write in iconvert_talloc()

For a non-preallocated dest-string and sourcestring of len < 2,
(one or both of the) final two two zero-bytes would be written
after the end of the allocated dest-string. The sourcelen did
not include the source string terminator. For longer strings,
this was not a problem because the dest-string would have been
reallocated in the convert-loop. This is fixed now by allocating
two extra bytes for the terminating 0-bytes that are needed anyways
in the initial allocation.

Pair-Programmed-With: Gregor Beck <gbeck@sernet.de>

1 files changed, 5 insertions, 2 deletions

diff --git a/source3/registry/reg_parse_internal.c b/source3/registry/reg_parse_internal.c
index 4734662302..dedbe123d8 100644
--- a/source3/registry/reg_parse_internal.c
+++ b/source3/registry/reg_parse_internal.c
@@ -42,8 +42,11 @@ size_t iconvert_talloc(const void* ctx,
 	dst = *pdst;
 
 	if (dst == NULL) {
-		/* dstlen = 2*srclen + 2; */
-		dstlen = srclen;
+		/*
+		 * Allocate an extra two bytes for the
+		 * terminating zero.
+		 */
+		dstlen = srclen + 2;
 		dst = (char *)talloc_size(ctx, dstlen);
 		if (dst == NULL) {
 			DEBUG(0,("iconver_talloc no mem\n"));