Fix 2 off-by-one bugs in the use of malloc()ed strings and safe_strcpy().

safe_strcpy() isn't particularly safe (this has been noted before) as it does
not take the size of the buffer, but instead the size of the buffer *minus 1*

The locking.c fix was causing segfaults on machines running with
--enable-developer, and was tracked down thanks to the fact that vance's build
farm machine runs with such an option, and smbtorture's DIR1 test hits this
bug very well.

(The --enable-developer code writes to the last byte of the string, to check
for incorrect use of safe_strcpy()).

Andrew Bartlett

source/lib/hash.c

@@ -171,6 +171,7 @@ hash_element *hash_insert(hash_table *table, char *value, char *key)
 	hash_element	*hash_elem;
 	ubi_dlNodePtr lru_item;
 	ubi_dlList *bucket; 
+	size_t string_length;
 
 	/* 
 	 * If the hash table size has not reached the MAX_HASH_TABLE_SIZE,
@@ -204,12 +205,13 @@ hash_element *hash_insert(hash_table *table, char *value, char *key)
 	 * string.
 	 */
 
-	if(!(hash_elem = (hash_element *) malloc(sizeof(hash_element) + strlen(key)))) {
+	string_length = strlen(key);
+	if(!(hash_elem = (hash_element *) malloc(sizeof(hash_element) + string_length))) {
 		DEBUG(0,("hash_insert: malloc fail !\n"));
 		return (hash_element *)NULL;
 	}
 
-	safe_strcpy((char *) hash_elem->key, key, strlen(key)+1);
+	safe_strcpy((char *) hash_elem->key, key, string_length);
 
 	hash_elem->value = (char *)value;
 	hash_elem->bucket = bucket;

source/locking/locking.c

@@ -630,7 +630,7 @@ BOOL set_share_mode(files_struct *fsp, uint16 port, uint16 op_type)
 			fsp->fsp_name ));
 
 		offset = sizeof(*data) + sizeof(share_mode_entry);
-		safe_strcpy(p + offset, fname, size - offset);
+		safe_strcpy(p + offset, fname, size - offset - 1);
 		fill_share_mode(p + sizeof(*data), fsp, port, op_type);
 		dbuf.dptr = p;
 		dbuf.dsize = size;