Fix bug 6546: Avoid accessing buf[-1] if NUL byte comes from fgets

diff --git a/source3/utils/eventlogadm.c b/source3/utils/eventlogadm.c
index 7fc04b008e27867f15026c121993687dd3547735..415330f68c898839bff377a4ce304898fcb5051b 100644 (file)
--- a/source3/utils/eventlogadm.c
+++ b/source3/utils/eventlogadm.c
@@ -118,7 +118,10 @@ static int DoWriteCommand( int argc, char **argv, bool debugflag, char *exename
                if (fgets( linein, sizeof( linein ) - 1, f1 ) == NULL) {
                        break;
                }
-               linein[strlen( linein ) - 1] = 0;       /* whack the line delimiter */
+               if ((strlen(linein) > 0)
+                   && (linein[strlen(linein)-1] == '\n')) {
+                       linein[strlen(linein)-1] = 0;
+               }
 
                if ( debugflag )
                        printf( "Read line [%s]\n", linein );

diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index fdb11f33a039966068e74781dffea80d155a0f0a..5b3b1e34d748d69ba628d14012bd9e9a2bb5e345 100644 (file)
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -4262,8 +4262,9 @@ static bool get_user_tokens_from_file(FILE *f,
                        return true;
                }
 
-               if (line[strlen(line)-1] == '\n')
+               if ((strlen(line) > 0) && (line[strlen(line)-1] == '\n')) {
                        line[strlen(line)-1] = '\0';
+               }
 
                if (line[0] == ' ') {
                        /* We have a SID */

diff --git a/source3/utils/smbget.c b/source3/utils/smbget.c
index b7d56cdcba24934a2575b8bfe4f6874309e2a2e1..15fe1fd70a424ba3c18c3a42822ebcd55a355dcf 100644 (file)
--- a/source3/utils/smbget.c
+++ b/source3/utils/smbget.c
@@ -94,7 +94,9 @@ static void get_auth_data(const char *srv, const char *shr, char *wg, int wglen,
                if (fgets(tmp, sizeof(tmp), stdin) == NULL) {
                        return;
                }
-               if(tmp[strlen(tmp)-1] == '\n')tmp[strlen(tmp)-1] = '\0';
+               if ((strlen(tmp) > 0) && (tmp[strlen(tmp)-1] == '\n')) {
+                       tmp[strlen(tmp)-1] = '\0';
+               }
                strncpy(un, tmp, unlen-1);
        } else if(username) strncpy(un, username, unlen-1);
 

diff --git a/source4/torture/nbench/nbench.c b/source4/torture/nbench/nbench.c
index 5a4037f906d1d73dba685ae5b9922ca0ab2100de..05c889d1b7d34587bc91c1bbe3f0d42e29b6b10e 100644 (file)
--- a/source4/torture/nbench/nbench.c
+++ b/source4/torture/nbench/nbench.c
@@ -95,7 +95,9 @@ again:
 
                nbench_line_count++;
 
-               line[strlen(line)-1] = 0;
+               if ((strlen(line) > 0) && line[strlen(line)-1] == '\n') {
+                       line[strlen(line)-1] = 0;
+               }
 
                all_string_sub(line,"client1", cname, sizeof(line));