From f55cebc0d0015ce47ddd49c62b368dfb5f04c50c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B6rn=20Baumbach?= Date: Mon, 7 Apr 2014 13:46:42 +0200 Subject: [PATCH] s3-lib/util: fix read across end of namelist string MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If the namelist is not terminated with a '/', we try to read the next character after the string termination '\0'. Signed-off-by: Björn Baumbach --- source3/lib/util.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/source3/lib/util.c b/source3/lib/util.c index 374bc5d..d061200 100644 --- a/source3/lib/util.c +++ b/source3/lib/util.c @@ -1035,6 +1035,7 @@ void set_namearray(name_compare_entry **ppname_array, const char *namelist_in) { char *name_end; char *namelist; + char *namelist_end; char *nameptr; int num_entries = 0; int i; @@ -1051,12 +1052,14 @@ void set_namearray(name_compare_entry **ppname_array, const char *namelist_in) } nameptr = namelist; + namelist_end = &namelist[strlen(namelist)]; + /* We need to make two passes over the string. The first to count the number of elements, the second to split it. */ - while(*nameptr) { + while(nameptr <= namelist_end) { if ( *nameptr == '/' ) { /* cope with multiple (useless) /s) */ nameptr++; @@ -1090,7 +1093,7 @@ void set_namearray(name_compare_entry **ppname_array, const char *namelist_in) /* Now copy out the names */ nameptr = namelist; i = 0; - while(*nameptr) { + while(nameptr <= namelist_end) { if ( *nameptr == '/' ) { /* cope with multiple (useless) /s) */ nameptr++; -- 1.8.3.2