1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

s3/lib: don't write to buffer (which might be NULL) if bufsize <=0

Some code depends that tdb_pack[va] will return the bytes it would
write to 'buf' if the bufsize passed in is <=0, writing to the
buffer is protected by with lines like
   if (bufsize && bufsize >= len) {
      /* write to 'buf' */
   }

however in these instances the local pointer to the buffer is still
modified
   buf += len;

It's quite probable if bufsize == 0 that buf itself is NULL,
in this case we should protect against performing pointer arithmetic.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Noel Power 2019-05-21 13:08:15 +00:00 committed by Noel Power
parent 75afaeb749
commit 5477b83db2

View File

@ -44,10 +44,9 @@ static size_t tdb_pack_va(uint8_t *buf, int bufsize, const char *fmt, va_list ap
int len = 0;
char *s;
char c;
uint8_t *buf0 = buf;
const char *fmt0 = fmt;
int bufsize0 = bufsize;
size_t to_write = 0;
while (*fmt) {
switch ((c = *fmt++)) {
case 'b': /* unsigned 8-bit integer */
@ -104,17 +103,19 @@ static size_t tdb_pack_va(uint8_t *buf, int bufsize, const char *fmt, va_list ap
break;
}
buf += len;
if (bufsize)
to_write += len;
if (bufsize > 0) {
bufsize -= len;
buf += len;
}
if (bufsize < 0)
bufsize = 0;
}
DEBUG(18,("tdb_pack_va(%s, %d) -> %d\n",
fmt0, bufsize0, (int)PTR_DIFF(buf, buf0)));
fmt0, bufsize0, (int)to_write));
return PTR_DIFF(buf, buf0);
return to_write;
}
size_t tdb_pack(uint8_t *buf, int bufsize, const char *fmt, ...)