[PATCH 08/12] torture: Provide enough space for test EA name in raw.eas test

Andrew Bartlett abartlet at samba.org
Mon Sep 8 17:40:23 MDT 2014 

On Mon, 2014-09-08 at 05:28 +0200, Kamen Mazdrashki wrote:
> 
> 
> I think you should also change following line from:
>   bad_ea_name[5] = (char)i;
> to
>   bad_ea_name[6] = (char)i;
> to preserve original idea for this test

No, because if we did that we would again write over the NULL
terminator.  The issue is that previously bad_ea_name[5] was the last
element on the array, and so when we later did a strlen() on it, we read
past the end of the stack array.  We need bad_ea_name[5] to be the
second-last element, followed by the \0 placed there by the strlcpy().

An patch with an improved commit message is attached.

Please review/push.

Andrew Bartlett

> Reviewed-by: Kamen Mazdrashki <kamenim at samba.org>
> 
> 
> 
> Cheers,
> kamen
> 
> On Mon, Sep 8, 2014 at 1:30 AM, <abartlet at samba.org> wrote:
>         From: Andrew Bartlett <abartlet at samba.org>
>         
>         Found by AddressSanitizer
>         
>         Change-Id: I871c08200aa2591c612dfa44da92b83132f83d88
>         Signed-off-by: Andrew Bartlett <abartlet at samba.org>
>         ---
>          source4/torture/raw/eas.c | 2 +-
>          1 file changed, 1 insertion(+), 1 deletion(-)
>         
>         diff --git a/source4/torture/raw/eas.c
>         b/source4/torture/raw/eas.c
>         index 95a55d1..15bfb2f 100644
>         --- a/source4/torture/raw/eas.c
>         +++ b/source4/torture/raw/eas.c
>         @@ -51,7 +51,7 @@ static bool test_eas(struct smbcli_state
>         *cli, struct torture_context *tctx)
>                 union smb_open io;
>                 const char *fname = BASEDIR "\\ea.txt";
>                 bool ret = true;
>         -       char bad_ea_name[6];
>         +       char bad_ea_name[7];
>                 int i;
>                 int fnum = -1;
>         
>         --
>         2.1.0
>         
> 
> 

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba



-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-torture-Provide-enough-space-for-test-EA-name-in-raw.patch
Type: text/x-patch
Size: 1143 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20140909/25dd262a/attachment.bin>

More information about the samba-technical mailing list