diff options
author | Michael Adam <obnox@samba.org> | 2011-03-04 23:53:44 +0100 |
---|---|---|
committer | Michael Adam <obnox@samba.org> | 2011-03-05 01:31:33 +0100 |
commit | aa8c9ef1387d4a92ebcc03580bbb9a8a4bcb8320 (patch) | |
tree | f50895f2fb4f0f43c0444f3c7c3b0d721350c784 /source3/registry | |
parent | 7b4fc4d745d3286363d4627b7c6d93696269fd65 (diff) | |
download | samba-aa8c9ef1387d4a92ebcc03580bbb9a8a4bcb8320.tar.gz samba-aa8c9ef1387d4a92ebcc03580bbb9a8a4bcb8320.tar.bz2 samba-aa8c9ef1387d4a92ebcc03580bbb9a8a4bcb8320.zip |
s3:registry: fix invalid write in iconvert_talloc()
For a non-preallocated dest-string and sourcestring of len < 2,
(one or both of the) final two two zero-bytes would be written
after the end of the allocated dest-string. The sourcelen did
not include the source string terminator. For longer strings,
this was not a problem because the dest-string would have been
reallocated in the convert-loop. This is fixed now by allocating
two extra bytes for the terminating 0-bytes that are needed anyways
in the initial allocation.
Pair-Programmed-With: Gregor Beck <gbeck@sernet.de>
Diffstat (limited to 'source3/registry')
-rw-r--r-- | source3/registry/reg_parse_internal.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/source3/registry/reg_parse_internal.c b/source3/registry/reg_parse_internal.c index 4734662302..dedbe123d8 100644 --- a/source3/registry/reg_parse_internal.c +++ b/source3/registry/reg_parse_internal.c @@ -42,8 +42,11 @@ size_t iconvert_talloc(const void* ctx, dst = *pdst; if (dst == NULL) { - /* dstlen = 2*srclen + 2; */ - dstlen = srclen; + /* + * Allocate an extra two bytes for the + * terminating zero. + */ + dstlen = srclen + 2; dst = (char *)talloc_size(ctx, dstlen); if (dst == NULL) { DEBUG(0,("iconver_talloc no mem\n")); |