Fix 2 off-by-one bugs in the use of malloc()ed strings and safe_strcpy().

safe_strcpy() isn't particularly safe (this has been noted before) as it does
not take the size of the buffer, but instead the size of the buffer *minus 1*

The locking.c fix was causing segfaults on machines running with
--enable-developer, and was tracked down thanks to the fact that vance's build
farm machine runs with such an option, and smbtorture's DIR1 test hits this
bug very well.

(The --enable-developer code writes to the last byte of the string, to check
for incorrect use of safe_strcpy()).

Andrew Bartlett
(This used to be commit e908fd164d1b11b6f76a6fdffb22e139813cb3c0)

1 files changed, 4 insertions, 2 deletions

diff --git a/source3/lib/hash.c b/source3/lib/hash.c
index 95af485707..c7b1493b4c 100644
--- a/source3/lib/hash.c
+++ b/source3/lib/hash.c
@@ -171,6 +171,7 @@ hash_element *hash_insert(hash_table *table, char *value, char *key)
 	hash_element	*hash_elem;
 	ubi_dlNodePtr lru_item;
 	ubi_dlList *bucket; 
+	size_t string_length;
 
 	/* 
 	 * If the hash table size has not reached the MAX_HASH_TABLE_SIZE,
@@ -204,12 +205,13 @@ hash_element *hash_insert(hash_table *table, char *value, char *key)
 	 * string.
 	 */
 
-	if(!(hash_elem = (hash_element *) malloc(sizeof(hash_element) + strlen(key)))) {
+	string_length = strlen(key);
+	if(!(hash_elem = (hash_element *) malloc(sizeof(hash_element) + string_length))) {
 		DEBUG(0,("hash_insert: malloc fail !\n"));
 		return (hash_element *)NULL;
 	}
 
-	safe_strcpy((char *) hash_elem->key, key, strlen(key)+1);
+	safe_strcpy((char *) hash_elem->key, key, string_length);
 
 	hash_elem->value = (char *)value;
 	hash_elem->bucket = bucket;