Subtle bug in StrnCpy (part of lib/util_str.c)
Richard Bollinger
rabollinger at home.com
Mon Nov 20 20:11:10 GMT 2000
While looking for memory allocation errors in Samba 2.0.7, I found this
subtle bug in StrnCpy:
Consider the case where the count includes a NULL at the end of the source
string and the count is equal to the available space in the destination
string... the existing code will add an extra NULL after that - violating
the specified limit. Of course, the comment in front of StrnCpy says "don't
do that" ;-).
This condition specifically occurs in api_RNetShareEnum > fill_share_info >
CopyExpanded > StrnCpy. The code malloc's just enough space for all of the
data and strncpy's each piece of it in place, passing a count to StrnCpy
equal to the remaining space in the buffer array. Boom.
Here's the patch:
*** /home/svsrc/samba-2.0.7/source.Solaris/lib/util_str.c Thu Mar 16
17:59:18 2000
--- ./lib/util_str.c Mon Nov 20 14:28:52 2000
***************
*** 929,935 ****
*dest = 0;
return(dest);
}
! while (n-- && (*d++ = *src++)) ;
*d = 0;
return(dest);
}
--- 929,937 ----
*dest = 0;
return(dest);
}
! while (n--)
! if (!(*d++ = *src++))
! return(dest);
*d = 0;
return(dest);
}
Rich Bollinger, Elliott Company
More information about the samba-technical
mailing list