[SCM] Samba Shared Repository - branch v3-0-test updated -
release-3-0-28-118-gdd34410
Jeremy Allison
jra at samba.org
Fri Feb 1 22:54:53 GMT 2008
The branch, v3-0-test has been updated
via dd3441022775f24cf66bd75daf899e92492eaeec (commit)
from 8957254118832d07440bf244006f216ac5b38dc2 (commit)
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test
- Log -----------------------------------------------------------------
commit dd3441022775f24cf66bd75daf899e92492eaeec
Author: Jeremy Allison <jra at samba.org>
Date: Fri Feb 1 14:54:19 2008 -0800
Ensure that convert_string_allocate() allocates 2 extra
bytes and null terminates them to ensure NDR wire-reads
of string types are always null terminated. Bug found by
Volker after great pain :-).
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source/lib/charcnv.c | 20 ++++++++++++++------
1 files changed, 14 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source/lib/charcnv.c b/source/lib/charcnv.c
index 7b52830..7d42e50 100644
--- a/source/lib/charcnv.c
+++ b/source/lib/charcnv.c
@@ -525,7 +525,7 @@ size_t convert_string(charset_t from, charset_t to,
size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t from, charset_t to,
void const *src, size_t srclen, void *dst, BOOL allow_bad_conv)
{
- size_t i_len, o_len, destlen = MAX(srclen, 512);
+ size_t i_len, o_len, destlen = (srclen * 3) / 2;
size_t retval;
const char *inbuf = (const char *)src;
char *outbuf = NULL, *ob = NULL;
@@ -551,7 +551,8 @@ size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t from, charset_t to,
convert:
- if ((destlen*2) < destlen) {
+ /* +2 is for ucs2 null termination. */
+ if ((destlen*2)+2 < destlen) {
/* wrapped ! abort. */
if (!conv_silent)
DEBUG(0, ("convert_string_allocate: destlen wrapped !\n"));
@@ -562,10 +563,11 @@ size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t from, charset_t to,
destlen = destlen * 2;
}
+ /* +2 is for ucs2 null termination. */
if (ctx) {
- ob = (char *)TALLOC_REALLOC(ctx, ob, destlen);
+ ob = (char *)TALLOC_REALLOC(ctx, ob, destlen + 2);
} else {
- ob = (char *)SMB_REALLOC(ob, destlen);
+ ob = (char *)SMB_REALLOC(ob, destlen + 2);
}
if (!ob) {
@@ -611,9 +613,10 @@ size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t from, charset_t to,
destlen = destlen - o_len;
if (ctx) {
- ob = (char *)TALLOC_REALLOC(ctx,ob,destlen);
+ /* We're shrinking here so we know the +2 is safe from wrap. */
+ ob = (char *)TALLOC_REALLOC(ctx,ob,destlen + 2);
} else {
- ob = (char *)SMB_REALLOC(ob,destlen);
+ ob = (char *)SMB_REALLOC(ob,destlen + 2);
}
if (destlen && !ob) {
@@ -622,6 +625,11 @@ size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t from, charset_t to,
}
*dest = ob;
+
+ /* Must ucs2 null terminate in the extra space we allocated. */
+ ob[destlen] = '\0';
+ ob[destlen+1] = '\0';
+
return destlen;
use_as_is:
--
Samba Shared Repository
More information about the samba-cvs
mailing list