svn commit: samba r19520 - in
branches/SAMBA_4_0/source/lib/ldb/samba: .
simo
idra at samba.org
Wed Nov 1 21:49:07 GMT 2006
On Thu, 2006-11-02 at 07:49 +1100, Andrew Bartlett wrote:
> The fundamental problem comes from the fact that ldb presumes that all
> buffers have a NULL terminator at v->data[v->length]. However, if you
> create a data blob with data_blob(), or the ndr_push_data_blob
> functions, this will not contain such a terminator.
>
> Relying on any data to be present at v->data[v->length] is inconsistent
> and unexpected.
>
> I realise it works really nicely for strings, but currently it also
> works by dumb luck as much as anything...
This is exactly the problem, it may not be a string so it may not be
terminated, in that case GUID_from_string could just read past the
allocated memory and segfault. That's why there is a check on string
termination.
Maybe we can change DATA_BLOB to always allocate one extra null byte so
that ldb_val and data_blob are compatible and surely null terminated.
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org
More information about the samba-technical
mailing list