summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Adam <obnox@samba.org>2011-03-04 23:53:44 +0100
committerMichael Adam <obnox@samba.org>2011-03-05 01:31:33 +0100
commitaa8c9ef1387d4a92ebcc03580bbb9a8a4bcb8320 (patch)
treef50895f2fb4f0f43c0444f3c7c3b0d721350c784
parent7b4fc4d745d3286363d4627b7c6d93696269fd65 (diff)
downloadsamba-aa8c9ef1387d4a92ebcc03580bbb9a8a4bcb8320.tar.gz
samba-aa8c9ef1387d4a92ebcc03580bbb9a8a4bcb8320.tar.bz2
samba-aa8c9ef1387d4a92ebcc03580bbb9a8a4bcb8320.zip
s3:registry: fix invalid write in iconvert_talloc()
For a non-preallocated dest-string and sourcestring of len < 2, (one or both of the) final two two zero-bytes would be written after the end of the allocated dest-string. The sourcelen did not include the source string terminator. For longer strings, this was not a problem because the dest-string would have been reallocated in the convert-loop. This is fixed now by allocating two extra bytes for the terminating 0-bytes that are needed anyways in the initial allocation. Pair-Programmed-With: Gregor Beck <gbeck@sernet.de>
-rw-r--r--source3/registry/reg_parse_internal.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/source3/registry/reg_parse_internal.c b/source3/registry/reg_parse_internal.c
index 4734662302..dedbe123d8 100644
--- a/source3/registry/reg_parse_internal.c
+++ b/source3/registry/reg_parse_internal.c
@@ -42,8 +42,11 @@ size_t iconvert_talloc(const void* ctx,
dst = *pdst;
if (dst == NULL) {
- /* dstlen = 2*srclen + 2; */
- dstlen = srclen;
+ /*
+ * Allocate an extra two bytes for the
+ * terminating zero.
+ */
+ dstlen = srclen + 2;
dst = (char *)talloc_size(ctx, dstlen);
if (dst == NULL) {
DEBUG(0,("iconver_talloc no mem\n"));