diff options
author | Noel Power <noel.power@suse.com> | 2019-05-21 13:08:15 +0000 |
---|---|---|
committer | Noel Power <npower@samba.org> | 2019-05-29 10:10:23 +0000 |
commit | 5477b83db28c67743e25a638c93bc4117a8a7ced (patch) | |
tree | 727bc546b272bfbd311863350cd2fc32831fdb11 /source3/lib | |
parent | 75afaeb749991925f17517ce50a96178d32d7922 (diff) | |
download | samba-5477b83db28c67743e25a638c93bc4117a8a7ced.tar.gz |
s3/lib: don't write to buffer (which might be NULL) if bufsize <=0
Some code depends that tdb_pack[va] will return the bytes it would
write to 'buf' if the bufsize passed in is <=0, writing to the
buffer is protected by with lines like
if (bufsize && bufsize >= len) {
/* write to 'buf' */
}
however in these instances the local pointer to the buffer is still
modified
buf += len;
It's quite probable if bufsize == 0 that buf itself is NULL,
in this case we should protect against performing pointer arithmetic.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'source3/lib')
-rw-r--r-- | source3/lib/util_tdb.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/source3/lib/util_tdb.c b/source3/lib/util_tdb.c index 0d1532193d4..943847f04a3 100644 --- a/source3/lib/util_tdb.c +++ b/source3/lib/util_tdb.c @@ -44,10 +44,9 @@ static size_t tdb_pack_va(uint8_t *buf, int bufsize, const char *fmt, va_list ap int len = 0; char *s; char c; - uint8_t *buf0 = buf; const char *fmt0 = fmt; int bufsize0 = bufsize; - + size_t to_write = 0; while (*fmt) { switch ((c = *fmt++)) { case 'b': /* unsigned 8-bit integer */ @@ -104,17 +103,19 @@ static size_t tdb_pack_va(uint8_t *buf, int bufsize, const char *fmt, va_list ap break; } - buf += len; - if (bufsize) + to_write += len; + if (bufsize > 0) { bufsize -= len; + buf += len; + } if (bufsize < 0) bufsize = 0; } DEBUG(18,("tdb_pack_va(%s, %d) -> %d\n", - fmt0, bufsize0, (int)PTR_DIFF(buf, buf0))); + fmt0, bufsize0, (int)to_write)); - return PTR_DIFF(buf, buf0); + return to_write; } size_t tdb_pack(uint8_t *buf, int bufsize, const char *fmt, ...) |