svn commit: samba r19520 - in
branches/SAMBA_4_0/source/lib/ldb/samba: .
Andrew Bartlett
abartlet at samba.org
Wed Nov 1 23:02:58 GMT 2006
On Wed, 2006-11-01 at 16:49 -0500, simo wrote:
> On Thu, 2006-11-02 at 07:49 +1100, Andrew Bartlett wrote:
>
> > The fundamental problem comes from the fact that ldb presumes that all
> > buffers have a NULL terminator at v->data[v->length]. However, if you
> > create a data blob with data_blob(), or the ndr_push_data_blob
> > functions, this will not contain such a terminator.
> >
> > Relying on any data to be present at v->data[v->length] is inconsistent
> > and unexpected.
> >
> > I realise it works really nicely for strings, but currently it also
> > works by dumb luck as much as anything...
>
> This is exactly the problem, it may not be a string so it may not be
> terminated, in that case GUID_from_string could just read past the
> allocated memory and segfault. That's why there is a check on string
> termination.
>
> Maybe we can change DATA_BLOB to always allocate one extra null byte so
> that ldb_val and data_blob are compatible and surely null terminated.
I'm not sure that's practical, or desirable. Keep in mind that
data_blob intentionally does not write to it's memory, just malloc()s
it.
We also construct data_blobs from constant memory, etc.
I wonder if the better arrangement is to change code that extracts a
string from a data_blob to either do length-limited operations, or to
add a null terminator then. (Yes, I realise that has knobs on it
too...)
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc. http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20061102/18a1438f/attachment.bin
More information about the samba-technical
mailing list