The branch, v3-6-test has been updated
via bc3af75 s3:registry: fix the test for a REG_SZ blob possibly being
a zero terminated ucs2 string
via 11287ce s3:registry: reg_format: handle unterminated REG_SZ blobs
from b824418 First part of fix for bug #8419 - Make VFS op "streaminfo"
stackable.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit bc3af75ec9841753b5bfbcd04d9a412f7ee5c4b5
Author: Michael Adam <[email protected]>
Date: Thu Sep 29 18:06:56 2011 +0200
s3:registry: fix the test for a REG_SZ blob possibly being a zero
terminated ucs2 string
1. catch data blobs with odd number of bytes (not an ucs2 string at all)
2. test the right ucs2 character to be 0
(prevent out-of bounds access/potential segfault)
Autobuild-User: Michael Adam <[email protected]>
Autobuild-Date: Sun Oct 2 01:26:05 CEST 2011 on sn-devel-104
(cherry picked from commit 95bb2c23e6e9c52a1e34916dff05b1d306278bc6)
The last 2 patches address bug #8528 (SEGFAULT from net registry export on
not
zero terminated REG_SZ values).
commit 11287cec6a53717c7abc5a54c2607f8ffb33d8bb
Author: Gregor Beck <[email protected]>
Date: Tue Sep 6 09:24:10 2011 +0200
s3:registry: reg_format: handle unterminated REG_SZ blobs
Signed-off-by: Michael Adam <[email protected]>
(cherry picked from commit b9da4235566ffdd649d7b4a6ca05cecd02cfbd20)
-----------------------------------------------------------------------
Summary of changes:
source3/registry/reg_format.c | 19 ++++++++++++++++++-
1 files changed, 18 insertions(+), 1 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/registry/reg_format.c b/source3/registry/reg_format.c
index 658076c..db03961 100644
--- a/source3/registry/reg_format.c
+++ b/source3/registry/reg_format.c
@@ -326,6 +326,21 @@ done:
return ret;
}
+static bool is_zero_terminated_ucs2(const uint8_t* data, size_t len) {
+ const size_t idx = len/sizeof(smb_ucs2_t);
+ const smb_ucs2_t *str = (const smb_ucs2_t*)data;
+
+ if ((len % sizeof(smb_ucs2_t)) != 0) {
+ return false;
+ }
+
+ if (idx == 0) {
+ return false;
+ }
+
+ return (str[idx-1] == 0);
+}
+
int reg_format_value(struct reg_format* f, const char* name, uint32_t type,
const uint8_t* data, size_t len)
{
@@ -334,7 +349,9 @@ int reg_format_value(struct reg_format* f, const char*
name, uint32_t type,
switch (type) {
case REG_SZ:
- if (!(f->flags & REG_FMT_HEX_SZ)) {
+ if (!(f->flags & REG_FMT_HEX_SZ)
+ && is_zero_terminated_ucs2(data, len))
+ {
char* str = NULL;
size_t dlen;
if (pull_ucs2_talloc(mem_ctx, &str, (const
smb_ucs2_t*)data, &dlen)) {
--
Samba Shared Repository
