mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
s3/lib: don't write to buffer (which might be NULL) if bufsize <=0
Some code depends that tdb_pack[va] will return the bytes it would write to 'buf' if the bufsize passed in is <=0, writing to the buffer is protected by with lines like if (bufsize && bufsize >= len) { /* write to 'buf' */ } however in these instances the local pointer to the buffer is still modified buf += len; It's quite probable if bufsize == 0 that buf itself is NULL, in this case we should protect against performing pointer arithmetic. Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
parent
75afaeb749
commit
5477b83db2
@ -44,10 +44,9 @@ static size_t tdb_pack_va(uint8_t *buf, int bufsize, const char *fmt, va_list ap
|
||||
int len = 0;
|
||||
char *s;
|
||||
char c;
|
||||
uint8_t *buf0 = buf;
|
||||
const char *fmt0 = fmt;
|
||||
int bufsize0 = bufsize;
|
||||
|
||||
size_t to_write = 0;
|
||||
while (*fmt) {
|
||||
switch ((c = *fmt++)) {
|
||||
case 'b': /* unsigned 8-bit integer */
|
||||
@ -104,17 +103,19 @@ static size_t tdb_pack_va(uint8_t *buf, int bufsize, const char *fmt, va_list ap
|
||||
break;
|
||||
}
|
||||
|
||||
buf += len;
|
||||
if (bufsize)
|
||||
to_write += len;
|
||||
if (bufsize > 0) {
|
||||
bufsize -= len;
|
||||
buf += len;
|
||||
}
|
||||
if (bufsize < 0)
|
||||
bufsize = 0;
|
||||
}
|
||||
|
||||
DEBUG(18,("tdb_pack_va(%s, %d) -> %d\n",
|
||||
fmt0, bufsize0, (int)PTR_DIFF(buf, buf0)));
|
||||
fmt0, bufsize0, (int)to_write));
|
||||
|
||||
return PTR_DIFF(buf, buf0);
|
||||
return to_write;
|
||||
}
|
||||
|
||||
size_t tdb_pack(uint8_t *buf, int bufsize, const char *fmt, ...)
|
||||
|
Loading…
Reference in New Issue
Block a user