[PATCH] lib/tdb: fix theoretical flaw with read of zero-length records

Rusty Russell rusty at rustcorp.com.au
Wed Jul 29 22:08:02 MDT 2009


If the record is at the end of the database, pretending it has length 1
might take us out-of-bounds.  Only pretend to be length 1 for the malloc.

Signed-off-by: Rusty Russell <rusty at rustcorp.com.au>
---
 lib/tdb/common/io.c |    6 +-----
 1 files changed, 1 insertions(+), 5 deletions(-)

diff --git a/lib/tdb/common/io.c b/lib/tdb/common/io.c
index 661f761..cb38ea1 100644
--- a/lib/tdb/common/io.c
+++ b/lib/tdb/common/io.c
@@ -383,11 +383,7 @@ unsigned char *tdb_alloc_read(struct tdb_context *tdb, 
tdb_off_t offset, tdb_len
 	unsigned char *buf;
 
 	/* some systems don't like zero length malloc */
-	if (len == 0) {
-		len = 1;
-	}
-
-	if (!(buf = (unsigned char *)malloc(len))) {
+	if (!(buf = (unsigned char *)malloc(len ? len : 1))) {
 		/* Ensure ecode is set for log fn. */
 		tdb->ecode = TDB_ERR_OOM;
 		TDB_LOG((tdb, TDB_DEBUG_ERROR,"tdb_alloc_read malloc failed len=%d (%s)\n",
-- 
1.6.0.4





More information about the samba-technical mailing list