Bug in talloc_asprintf_append()
Jeremy Allison
jra at samba.org
Wed Sep 12 21:12:56 GMT 2007
Tridge,
The talloc_asprintf_append() function doesn't take
into account a truncated string.
Imagine the following :
/* talloc a 10 byte string. */
char *s = talloc_strdup(NULL, "0123456789");
s[5] = '\0';
s = talloc_asprintf_append(s,
"%s",
"56789");
The result of s will be :
+---------------------------------+
|0|1|2|3|4|\0|6|7|8|9|5|6|7|8|9|\0|
+---------------------------------+
instead of :
+--------------------------------+
|0|1|2|3|4|5|6|7|8|9|5|6|7|8|9|\0|
+--------------------------------+
As the code in talloc_vasprintf_append()
calcualtes the size as :
tc = talloc_chunk_from_ptr(s);
s_len = tc->size - 1;
Reallocs as :
s = talloc_realloc(NULL, s, char, s_len + len+1);
and finally prints as :
vsnprintf(s+s_len, len+1, fmt, ap2);
I think s_len should be strlen(s) instead.
Do you concur ?
This has tripped me up in the talloc rewrite for
the Samba3 file serving paths, and I want to know
that it's not intentional (I don't think it could
be, but you never know).
Jeremy.
More information about the samba-technical
mailing list