summaryrefslogtreecommitdiff
path: root/source3/lib
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2003-02-24 01:13:31 +0000
committerAndrew Bartlett <abartlet@samba.org>2003-02-24 01:13:31 +0000
commite68684aa65b579081163c175d681b7867a0828bf (patch)
treea6306ed4e60f86159a2b62a886be62d8273348cc /source3/lib
parentbd0bbde1bba4ad4e6e95f269912943d9d583dce4 (diff)
downloadsamba-e68684aa65b579081163c175d681b7867a0828bf.tar.gz
samba-e68684aa65b579081163c175d681b7867a0828bf.tar.bz2
samba-e68684aa65b579081163c175d681b7867a0828bf.zip
Fix 2 off-by-one bugs in the use of malloc()ed strings and safe_strcpy().
safe_strcpy() isn't particularly safe (this has been noted before) as it does not take the size of the buffer, but instead the size of the buffer *minus 1* The locking.c fix was causing segfaults on machines running with --enable-developer, and was tracked down thanks to the fact that vance's build farm machine runs with such an option, and smbtorture's DIR1 test hits this bug very well. (The --enable-developer code writes to the last byte of the string, to check for incorrect use of safe_strcpy()). Andrew Bartlett (This used to be commit e908fd164d1b11b6f76a6fdffb22e139813cb3c0)
Diffstat (limited to 'source3/lib')
-rw-r--r--source3/lib/hash.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/source3/lib/hash.c b/source3/lib/hash.c
index 95af485707..c7b1493b4c 100644
--- a/source3/lib/hash.c
+++ b/source3/lib/hash.c
@@ -171,6 +171,7 @@ hash_element *hash_insert(hash_table *table, char *value, char *key)
hash_element *hash_elem;
ubi_dlNodePtr lru_item;
ubi_dlList *bucket;
+ size_t string_length;
/*
* If the hash table size has not reached the MAX_HASH_TABLE_SIZE,
@@ -204,12 +205,13 @@ hash_element *hash_insert(hash_table *table, char *value, char *key)
* string.
*/
- if(!(hash_elem = (hash_element *) malloc(sizeof(hash_element) + strlen(key)))) {
+ string_length = strlen(key);
+ if(!(hash_elem = (hash_element *) malloc(sizeof(hash_element) + string_length))) {
DEBUG(0,("hash_insert: malloc fail !\n"));
return (hash_element *)NULL;
}
- safe_strcpy((char *) hash_elem->key, key, strlen(key)+1);
+ safe_strcpy((char *) hash_elem->key, key, string_length);
hash_elem->value = (char *)value;
hash_elem->bucket = bucket;