From 4d43088f941ead2702ca616d81b34a9aa754300a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 8 Apr 2014 10:38:33 -0700 Subject: [PATCH] s3-lib/util: fix logic inside set_namearray loops. Additional fix for bug #10544 - s3-lib/util: set_namearray reads across end of namelist string. Not strictly needed as the initial fix addresses the problem, but corrects the internal logic inside the loops. https://bugzilla.samba.org/show_bug.cgi?id=10544 Signed-off-by: Jeremy Allison --- source3/lib/util.c | 26 ++++++++++++++++---------- 1 file changed, 16 insertions(+), 10 deletions(-) diff --git a/source3/lib/util.c b/source3/lib/util.c index d061200..2794882 100644 --- a/source3/lib/util.c +++ b/source3/lib/util.c @@ -1071,11 +1071,13 @@ void set_namearray(name_compare_entry **ppname_array, const char *namelist_in) /* find the next '/' or consume remaining */ name_end = strchr_m(nameptr, '/'); - if (name_end == NULL) - name_end = (char *)nameptr + strlen(nameptr); - - /* next segment please */ - nameptr = name_end + 1; + if (name_end == NULL) { + /* Point nameptr at the terminating '\0' */ + nameptr += strlen(nameptr); + } else { + /* next segment please */ + nameptr = name_end + 1; + } num_entries++; } @@ -1105,10 +1107,9 @@ void set_namearray(name_compare_entry **ppname_array, const char *namelist_in) /* find the next '/' or consume remaining */ name_end = strchr_m(nameptr, '/'); - if (name_end) + if (name_end) { *name_end = '\0'; - else - name_end = nameptr + strlen(nameptr); + } (*ppname_array)[i].is_wild = ms_has_wild(nameptr); if(((*ppname_array)[i].name = SMB_STRDUP(nameptr)) == NULL) { @@ -1117,8 +1118,13 @@ void set_namearray(name_compare_entry **ppname_array, const char *namelist_in) return; } - /* next segment please */ - nameptr = name_end + 1; + if (name_end == NULL) { + /* Point nameptr at the terminating '\0' */ + nameptr += strlen(nameptr); + } else { + /* next segment please */ + nameptr = name_end + 1; + } i++; } -- 1.9.1.423.g4596e3a