From aa8c9ef1387d4a92ebcc03580bbb9a8a4bcb8320 Mon Sep 17 00:00:00 2001
From: Michael Adam <obnox@samba.org>
Date: Fri, 4 Mar 2011 23:53:44 +0100
Subject: s3:registry: fix invalid write in iconvert_talloc()

For a non-preallocated dest-string and sourcestring of len < 2,
(one or both of the) final two two zero-bytes would be written
after the end of the allocated dest-string. The sourcelen did
not include the source string terminator. For longer strings,
this was not a problem because the dest-string would have been
reallocated in the convert-loop. This is fixed now by allocating
two extra bytes for the terminating 0-bytes that are needed anyways
in the initial allocation.

Pair-Programmed-With: Gregor Beck <gbeck@sernet.de>
---
 source3/registry/reg_parse_internal.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'source3/registry')

diff --git a/source3/registry/reg_parse_internal.c b/source3/registry/reg_parse_internal.c
index 4734662302..dedbe123d8 100644
--- a/source3/registry/reg_parse_internal.c
+++ b/source3/registry/reg_parse_internal.c
@@ -42,8 +42,11 @@ size_t iconvert_talloc(const void* ctx,
 	dst = *pdst;
 
 	if (dst == NULL) {
-		/* dstlen = 2*srclen + 2; */
-		dstlen = srclen;
+		/*
+		 * Allocate an extra two bytes for the
+		 * terminating zero.
+		 */
+		dstlen = srclen + 2;
 		dst = (char *)talloc_size(ctx, dstlen);
 		if (dst == NULL) {
 			DEBUG(0,("iconver_talloc no mem\n"));
-- 
cgit