From e68684aa65b579081163c175d681b7867a0828bf Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 24 Feb 2003 01:13:31 +0000 Subject: Fix 2 off-by-one bugs in the use of malloc()ed strings and safe_strcpy(). safe_strcpy() isn't particularly safe (this has been noted before) as it does not take the size of the buffer, but instead the size of the buffer *minus 1* The locking.c fix was causing segfaults on machines running with --enable-developer, and was tracked down thanks to the fact that vance's build farm machine runs with such an option, and smbtorture's DIR1 test hits this bug very well. (The --enable-developer code writes to the last byte of the string, to check for incorrect use of safe_strcpy()). Andrew Bartlett (This used to be commit e908fd164d1b11b6f76a6fdffb22e139813cb3c0) --- source3/lib/hash.c | 6 ++++-- source3/locking/locking.c | 2 +- 2 files changed, 5 insertions(+), 3 deletions(-) (limited to 'source3') diff --git a/source3/lib/hash.c b/source3/lib/hash.c index 95af485707..c7b1493b4c 100644 --- a/source3/lib/hash.c +++ b/source3/lib/hash.c @@ -171,6 +171,7 @@ hash_element *hash_insert(hash_table *table, char *value, char *key) hash_element *hash_elem; ubi_dlNodePtr lru_item; ubi_dlList *bucket; + size_t string_length; /* * If the hash table size has not reached the MAX_HASH_TABLE_SIZE, @@ -204,12 +205,13 @@ hash_element *hash_insert(hash_table *table, char *value, char *key) * string. */ - if(!(hash_elem = (hash_element *) malloc(sizeof(hash_element) + strlen(key)))) { + string_length = strlen(key); + if(!(hash_elem = (hash_element *) malloc(sizeof(hash_element) + string_length))) { DEBUG(0,("hash_insert: malloc fail !\n")); return (hash_element *)NULL; } - safe_strcpy((char *) hash_elem->key, key, strlen(key)+1); + safe_strcpy((char *) hash_elem->key, key, string_length); hash_elem->value = (char *)value; hash_elem->bucket = bucket; diff --git a/source3/locking/locking.c b/source3/locking/locking.c index d4794560f6..fdfd4d661c 100644 --- a/source3/locking/locking.c +++ b/source3/locking/locking.c @@ -630,7 +630,7 @@ BOOL set_share_mode(files_struct *fsp, uint16 port, uint16 op_type) fsp->fsp_name )); offset = sizeof(*data) + sizeof(share_mode_entry); - safe_strcpy(p + offset, fname, size - offset); + safe_strcpy(p + offset, fname, size - offset - 1); fill_share_mode(p + sizeof(*data), fsp, port, op_type); dbuf.dptr = p; dbuf.dsize = size; -- cgit