[SCM] Samba Shared Repository - branch v3-0-test updated - release-3-0-28-118-gdd34410

[Jeremy Allison]

The branch, v3-0-test has been updated
       via  dd3441022775f24cf66bd75daf899e92492eaeec (commit)
      from  8957254118832d07440bf244006f216ac5b38dc2 (commit)

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-0-test


- Log -----------------------------------------------------------------
commit dd3441022775f24cf66bd75daf899e92492eaeec
Author: Jeremy Allison <[EMAIL PROTECTED]>
Date:   Fri Feb 1 14:54:19 2008 -0800

    Ensure that convert_string_allocate() allocates 2 extra
    bytes and null terminates them to ensure NDR wire-reads
    of string types are always null terminated. Bug found by
    Volker after great pain :-).
    Jeremy.

-----------------------------------------------------------------------

Summary of changes:
 source/lib/charcnv.c |   20 ++++++++++++++------
 1 files changed, 14 insertions(+), 6 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source/lib/charcnv.c b/source/lib/charcnv.c
index 7b52830..7d42e50 100644
--- a/source/lib/charcnv.c
+++ b/source/lib/charcnv.c
@@ -525,7 +525,7 @@ size_t convert_string(charset_t from, charset_t to,
 size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t from, charset_t to,
                               void const *src, size_t srclen, void *dst, BOOL 
allow_bad_conv)
 {
-       size_t i_len, o_len, destlen = MAX(srclen, 512);
+       size_t i_len, o_len, destlen = (srclen * 3) / 2;
        size_t retval;
        const char *inbuf = (const char *)src;
        char *outbuf = NULL, *ob = NULL;
@@ -551,7 +551,8 @@ size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t 
from, charset_t to,
 
   convert:
 
-       if ((destlen*2) < destlen) {
+       /* +2 is for ucs2 null termination. */
+       if ((destlen*2)+2 < destlen) {
                /* wrapped ! abort. */
                if (!conv_silent)
                        DEBUG(0, ("convert_string_allocate: destlen wrapped 
!\n"));
@@ -562,10 +563,11 @@ size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t 
from, charset_t to,
                destlen = destlen * 2;
        }
 
+       /* +2 is for ucs2 null termination. */
        if (ctx) {
-               ob = (char *)TALLOC_REALLOC(ctx, ob, destlen);
+               ob = (char *)TALLOC_REALLOC(ctx, ob, destlen + 2);
        } else {
-               ob = (char *)SMB_REALLOC(ob, destlen);
+               ob = (char *)SMB_REALLOC(ob, destlen + 2);
        }
 
        if (!ob) {
@@ -611,9 +613,10 @@ size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t 
from, charset_t to,
 
        destlen = destlen - o_len;
        if (ctx) {
-               ob = (char *)TALLOC_REALLOC(ctx,ob,destlen);
+               /* We're shrinking here so we know the +2 is safe from wrap. */
+               ob = (char *)TALLOC_REALLOC(ctx,ob,destlen + 2);
        } else {
-               ob = (char *)SMB_REALLOC(ob,destlen);
+               ob = (char *)SMB_REALLOC(ob,destlen + 2);
        }
 
        if (destlen && !ob) {
@@ -622,6 +625,11 @@ size_t convert_string_allocate(TALLOC_CTX *ctx, charset_t 
from, charset_t to,
        }
 
        *dest = ob;
+
+       /* Must ucs2 null terminate in the extra space we allocated. */
+       ob[destlen] = '\0';
+       ob[destlen+1] = '\0';
+
        return destlen;
 
  use_as_is:


-- 
Samba Shared Repository