From 2ade25279c2770ce0cbec2130c55c1e3a3154935 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Wed, 12 Dec 2007 13:50:48 +0100
Subject: Fix logic and prevent segfaults in secrets trustdom tdb pack code.

New size calculation logic in tdb_trusted_dom_pass_pack()
and tdb_sid_pack() used accumulated sizes as successive offsets
to buffer pointer.

Michael
(This used to be commit 9c24713b402978e74dc8691be5cab71d8666eb41)
---
 source3/passdb/secrets.c | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

(limited to 'source3/passdb/secrets.c')

diff --git a/source3/passdb/secrets.c b/source3/passdb/secrets.c
index 32335eec89..a4cb76602a 100644
--- a/source3/passdb/secrets.c
+++ b/source3/passdb/secrets.c
@@ -360,16 +360,16 @@ static size_t tdb_sid_pack(uint8 *pack_buf, int bufsize, DOM_SID* sid)
 	len += tdb_pack(p, remaining_space, "bb", sid->sid_rev_num,
 	                sid->num_auths);
 	if (pack_buf) {
-		p += len;
-		remaining_space -= len;
+		p = pack_buf + len;
+		remaining_space = bufsize - len;
 	}
 
 	for (idx = 0; idx < 6; idx++) {
 		len += tdb_pack(p, remaining_space, "b",
 				sid->id_auth[idx]);
 		if (pack_buf) {
-			p += len;
-			remaining_space -= len;
+			p = pack_buf + len;
+			remaining_space = bufsize - len;
 		}
 	}
 
@@ -377,8 +377,8 @@ static size_t tdb_sid_pack(uint8 *pack_buf, int bufsize, DOM_SID* sid)
 		len += tdb_pack(p, remaining_space, "d",
 				sid->sub_auths[idx]);
 		if (pack_buf) {
-			p += len;
-			remaining_space -= len;
+			p = pack_buf + len;
+			remaining_space = bufsize - len;
 		}
 	}
 
@@ -440,31 +440,31 @@ static size_t tdb_trusted_dom_pass_pack(uint8 *pack_buf, int bufsize,
 	len += tdb_pack(p, remaining_space, "d",
 			pass->uni_name_len);
 	if (pack_buf) {
-		p += len;
-		remaining_space -= len;
+		p = pack_buf + len;
+		remaining_space = bufsize - len;
 	}
 
 	for (idx = 0; idx < 32; idx++) {
 		len += tdb_pack(p, remaining_space, "w",
 				 pass->uni_name[idx]);
 		if (pack_buf) {
-			p += len;
-			remaining_space -= len;
+			p = pack_buf + len;
+			remaining_space = bufsize - len;
 		}
 	}
 
 	len += tdb_pack(p, remaining_space, "dPd", pass->pass_len,
 	                     pass->pass, pass->mod_time);
 	if (pack_buf) {
-		p += len;
-		remaining_space -= len;
+		p = pack_buf + len;
+		remaining_space = bufsize - len;
 	}
 
 	/* packing SID structure */
 	len += tdb_sid_pack(p, remaining_space, &pass->domain_sid);
 	if (pack_buf) {
-		p += len;
-		remaining_space -= len;
+		p = pack_buf + len;
+		remaining_space = bufsize - len;
 	}
 
 	return len;
-- 
cgit