svn commit: samba r19520 - in branches/SAMBA_4_0/source/lib/ldb/samba: .

Andrew Bartlett abartlet at
Wed Nov 1 23:02:58 GMT 2006

On Wed, 2006-11-01 at 16:49 -0500, simo wrote:
> On Thu, 2006-11-02 at 07:49 +1100, Andrew Bartlett wrote:
> > The fundamental problem comes from the fact that ldb presumes that all
> > buffers have a NULL terminator at v->data[v->length].  However, if you
> > create a data blob with data_blob(), or the ndr_push_data_blob
> > functions, this will not contain such a terminator.
> > 
> > Relying on any data to be present at v->data[v->length] is inconsistent
> > and unexpected.
> > 
> > I realise it works really nicely for strings, but currently it also
> > works by dumb luck as much as anything...
> This is exactly the problem, it may not be a string so it may not be
> terminated, in that case GUID_from_string could just read past the
> allocated memory and segfault. That's why there is a check on string
> termination.
> Maybe we can change DATA_BLOB to always allocate one extra null byte so
> that ldb_val and data_blob are compatible and surely null terminated.

I'm not sure that's practical, or desirable.  Keep in mind that
data_blob intentionally does not write to it's memory, just malloc()s

We also construct data_blobs from constant memory, etc. 

I wonder if the better arrangement is to change code that extracts a
string from a data_blob to either do length-limited operations, or to
add a null terminator then.  (Yes, I realise that has knobs on it

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list