svn commit: samba r23668 - in branches: SAMBA_3_0/source/lib
SAMBA_3_0_26/source/lib
Jeremy Allison
jra at samba.org
Sat Jun 30 23:53:49 GMT 2007
On Sat, Jun 30, 2007 at 11:52:24PM +0000, obnox at samba.org wrote:
> Author: obnox
> Date: 2007-06-30 23:52:23 +0000 (Sat, 30 Jun 2007)
> New Revision: 23668
>
> WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=23668
>
> Log:
> When creating a new string value, win2k regedit delivers
> one byte of data despite characters being two-byte.
>
> This modifies registry_pull_value, to change the data
> to the correct two-byte version of the empty string,
> (as delivered by winxp), when only one byte of data is
> received.
> + if (!(tmp = SMB_MALLOC_ARRAY(smb_ucs2_t, num_ucs2+1))) {
> + err = WERR_NOMEM;
> + goto error;
> + }
>
> - if (!(tmp = SMB_MALLOC_ARRAY(smb_ucs2_t, num_ucs2+1))) {
DANGER DANGER !!!!! Does num_ucs2 come from the client ?
You must check for integer wrap here otherwise you've
just added a security hole !!!!
Jeremy.
More information about the samba-technical
mailing list