From: Noel Power Date: Tue, 21 May 2019 13:08:15 +0000 (+0000) Subject: s3/lib: don't write to buffer (which might be NULL) if bufsize <=0 X-Git-Tag: ldb-2.0.5~570 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5477b83db28c67743e25a638c93bc4117a8a7ced;p=thirdparty%2Fsamba.git s3/lib: don't write to buffer (which might be NULL) if bufsize <=0 Some code depends that tdb_pack[va] will return the bytes it would write to 'buf' if the bufsize passed in is <=0, writing to the buffer is protected by with lines like if (bufsize && bufsize >= len) { /* write to 'buf' */ } however in these instances the local pointer to the buffer is still modified buf += len; It's quite probable if bufsize == 0 that buf itself is NULL, in this case we should protect against performing pointer arithmetic. Signed-off-by: Noel Power Reviewed-by: Andreas Schneider --- diff --git a/source3/lib/util_tdb.c b/source3/lib/util_tdb.c index 0d1532193d4..943847f04a3 100644 --- a/source3/lib/util_tdb.c +++ b/source3/lib/util_tdb.c @@ -44,10 +44,9 @@ static size_t tdb_pack_va(uint8_t *buf, int bufsize, const char *fmt, va_list ap int len = 0; char *s; char c; - uint8_t *buf0 = buf; const char *fmt0 = fmt; int bufsize0 = bufsize; - + size_t to_write = 0; while (*fmt) { switch ((c = *fmt++)) { case 'b': /* unsigned 8-bit integer */ @@ -104,17 +103,19 @@ static size_t tdb_pack_va(uint8_t *buf, int bufsize, const char *fmt, va_list ap break; } - buf += len; - if (bufsize) + to_write += len; + if (bufsize > 0) { bufsize -= len; + buf += len; + } if (bufsize < 0) bufsize = 0; } DEBUG(18,("tdb_pack_va(%s, %d) -> %d\n", - fmt0, bufsize0, (int)PTR_DIFF(buf, buf0))); + fmt0, bufsize0, (int)to_write)); - return PTR_DIFF(buf, buf0); + return to_write; } size_t tdb_pack(uint8_t *buf, int bufsize, const char *fmt, ...)