diff options
author | Andrew Bartlett <abartlet@samba.org> | 2003-02-24 01:13:31 +0000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2003-02-24 01:13:31 +0000 |
commit | e68684aa65b579081163c175d681b7867a0828bf (patch) | |
tree | a6306ed4e60f86159a2b62a886be62d8273348cc /source3/locking | |
parent | bd0bbde1bba4ad4e6e95f269912943d9d583dce4 (diff) | |
download | samba-e68684aa65b579081163c175d681b7867a0828bf.tar.gz samba-e68684aa65b579081163c175d681b7867a0828bf.tar.bz2 samba-e68684aa65b579081163c175d681b7867a0828bf.zip |
Fix 2 off-by-one bugs in the use of malloc()ed strings and safe_strcpy().
safe_strcpy() isn't particularly safe (this has been noted before) as it does
not take the size of the buffer, but instead the size of the buffer *minus 1*
The locking.c fix was causing segfaults on machines running with
--enable-developer, and was tracked down thanks to the fact that vance's build
farm machine runs with such an option, and smbtorture's DIR1 test hits this
bug very well.
(The --enable-developer code writes to the last byte of the string, to check
for incorrect use of safe_strcpy()).
Andrew Bartlett
(This used to be commit e908fd164d1b11b6f76a6fdffb22e139813cb3c0)
Diffstat (limited to 'source3/locking')
-rw-r--r-- | source3/locking/locking.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/source3/locking/locking.c b/source3/locking/locking.c index d4794560f6..fdfd4d661c 100644 --- a/source3/locking/locking.c +++ b/source3/locking/locking.c @@ -630,7 +630,7 @@ BOOL set_share_mode(files_struct *fsp, uint16 port, uint16 op_type) fsp->fsp_name )); offset = sizeof(*data) + sizeof(share_mode_entry); - safe_strcpy(p + offset, fname, size - offset); + safe_strcpy(p + offset, fname, size - offset - 1); fill_share_mode(p + sizeof(*data), fsp, port, op_type); dbuf.dptr = p; dbuf.dsize = size; |