svn commit: samba r19520 - in branches/SAMBA_4_0/source/lib/ldb/samba: .

simo idra at samba.org
Wed Nov 1 12:56:36 GMT 2006


On Wed, 2006-11-01 at 03:17 +0000, abartlet at samba.org wrote:
> Author: abartlet
> Date: 2006-11-01 03:17:23 +0000 (Wed, 01 Nov 2006)
> New Revision: 19520
> 
> WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=19520
> 
> Log:
> Try not to read past the end of the ldb buffer.
> 
> Andrew Bartlett
> 
> Modified:
>    branches/SAMBA_4_0/source/lib/ldb/samba/ldif_handlers.c
> 
> 
> Changeset:
> Modified: branches/SAMBA_4_0/source/lib/ldb/samba/ldif_handlers.c
> ===================================================================
> --- branches/SAMBA_4_0/source/lib/ldb/samba/ldif_handlers.c	2006-10-31 19:06:46 UTC (rev 19519)
> +++ branches/SAMBA_4_0/source/lib/ldb/samba/ldif_handlers.c	2006-11-01 03:17:23 UTC (rev 19520)
> @@ -80,10 +80,12 @@
>  
>  static BOOL ldb_comparision_objectSid_isString(const struct ldb_val *v)
>  {
> -	/* see if the input if null-terninated */
> -	if (v->data[v->length] != '\0') return False;
> -	
> +	if (v->length < 3) {
> +		return False;
> +	}
> +
>  	if (strncmp("S-", (const char *)v->data, 2) != 0) return False;
> +	
>  	return True;
>  }
>  
> @@ -179,9 +181,6 @@
>  	struct GUID guid;
>  	NTSTATUS status;
>  
> -	/* see if the input if null-terninated */
> -	if (v->data[v->length] != '\0') return False;
> -
>  	if (v->length < 33) return False;
>  
>  	status = GUID_from_string((const char *)v->data, &guid);

Checking for the length and checking for termination are not the same
thing. We can have binary blobs as data. I think that keeping the check
on null termination is important as it may prevent segfaults deriving by
a run past the buffer by functions that expect null terminated strings
as input.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org



More information about the samba-technical mailing list