[SCM] Samba Shared Repository - branch v3-0-test updated - release-3-0-28-118-gdd34410

[Jeremy Allison]

The branch, v3-0-test has been updated
       via  dd3441022775f24cf66bd75daf899e92492eaeec (commit)
      from  8957254118832d07440bf244006f216ac5b38dc2 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test


- Log -----------------------------------------------------------------
commit dd3441022775f24cf66bd75daf899e92492eaeec
Author: Jeremy Allison <jra at samba.org>
Date:   Fri Feb 1 14:54:19 2008 -0800

    Ensure that convert_string_allocate() allocates 2 extra
    bytes and null terminates them to ensure NDR wire-reads
    of string types are always null terminated. Bug found by
    Volker after great pain :-).
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source/lib/charcnv.c |   20 ++++++++++++++------
 1 files changed, 14 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/lib/charcnv.c b/source/lib/charcnv.c
index 7b52830..7d42e50 100644
--- a/source/lib/charcnv.c
+++ b/source/lib/charcnv.c
@@ -525,7 +525,7 @@ size_t convert_string(charset_t from, charset_t to,
 size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t from, charset_t to,
 			       void const *src, size_t srclen, void *dst, BOOL allow_bad_conv)
 {
-	size_t i_len, o_len, destlen = MAX(srclen, 512);
+	size_t i_len, o_len, destlen = (srclen * 3) / 2;
 	size_t retval;
 	const char *inbuf = (const char *)src;
 	char *outbuf = NULL, *ob = NULL;
@@ -551,7 +551,8 @@ size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t from, charset_t to,
 
   convert:
 
-	if ((destlen*2) < destlen) {
+	/* +2 is for ucs2 null termination. */
+	if ((destlen*2)+2 < destlen) {
 		/* wrapped ! abort. */
 		if (!conv_silent)
 			DEBUG(0, ("convert_string_allocate: destlen wrapped !\n"));
@@ -562,10 +563,11 @@ size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t from, charset_t to,
 		destlen = destlen * 2;
 	}
 
+	/* +2 is for ucs2 null termination. */
 	if (ctx) {
-		ob = (char *)TALLOC_REALLOC(ctx, ob, destlen);
+		ob = (char *)TALLOC_REALLOC(ctx, ob, destlen + 2);
 	} else {
-		ob = (char *)SMB_REALLOC(ob, destlen);
+		ob = (char *)SMB_REALLOC(ob, destlen + 2);
 	}
 
 	if (!ob) {
@@ -611,9 +613,10 @@ size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t from, charset_t to,
 
 	destlen = destlen - o_len;
 	if (ctx) {
-		ob = (char *)TALLOC_REALLOC(ctx,ob,destlen);
+		/* We're shrinking here so we know the +2 is safe from wrap. */
+		ob = (char *)TALLOC_REALLOC(ctx,ob,destlen + 2);
 	} else {
-		ob = (char *)SMB_REALLOC(ob,destlen);
+		ob = (char *)SMB_REALLOC(ob,destlen + 2);
 	}
 
 	if (destlen && !ob) {
@@ -622,6 +625,11 @@ size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t from, charset_t to,
 	}
 
 	*dest = ob;
+
+	/* Must ucs2 null terminate in the extra space we allocated. */
+	ob[destlen] = '\0';
+	ob[destlen+1] = '\0';
+
 	return destlen;
 
  use_as_is:


-- 
Samba Shared Repository