The branch, v3-6-test has been updated
via 00834d0 Fix bug 8040 - smbclient segfaults when a Cyrillic netbios
name or workgroup is configured.
from 0ad573f s3-netapi: fix memoryleak while not using talloc_tos() in
cli_get_session_key() usage.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-6-test
- Log -----------------------------------------------------------------
commit 00834d05c41bbdebd737f1c4ebb8e04955e092ec
Author: Jeremy Allison <j...@samba.org>
Date: Fri Mar 25 15:12:12 2011 -0700
Fix bug 8040 - smbclient segfaults when a Cyrillic netbios name or
workgroup is configured.
As discovered by David Disseldorp <dd...@suse.de>, convert_string_talloc()
doesn't always return consistent results for a zero length string. The
API states an incoming string must *always* contain the terminating null,
but unfotunately too much code expects passing in a zero source length
to return a null terminated string, so at least ensure we return a
correct null string in the required character set and return the
correct length.
Also ensure we cannot return a zero length for a converted string
(we ensure that the returned buffer is always allocated and zero
terminated anyway) as calling code depends on the fact that returning
true from this function will *always* return a non-zero length (as
it must include the terminating null).
Note this is a different fix from what went into master (this is
identical to the fix I'm planning for 3.5.x) as convert_string_talloc()
has diverged between the two.
Jeremy.
-----------------------------------------------------------------------
Summary of changes:
source3/lib/charcnv.c | 24 ++++++++++++++++++++++--
1 files changed, 22 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/lib/charcnv.c b/source3/lib/charcnv.c
index 5b2149b..fd6cefe 100644
--- a/source3/lib/charcnv.c
+++ b/source3/lib/charcnv.c
@@ -456,14 +456,24 @@ bool convert_string_talloc(TALLOC_CTX *ctx, charset_t
from, charset_t to,
errno = EINVAL;
return false;
}
+
if (srclen == 0) {
- ob = talloc_strdup(ctx, "");
+ /* We really should treat this as an error, but
+ there are too many callers that need this to
+ return a NULL terminated string in the correct
+ character set. */
+ if (to == CH_UTF16LE|| to == CH_UTF16BE || to ==
CH_UTF16MUNGED) {
+ destlen = 2;
+ } else {
+ destlen = 1;
+ }
+ ob = talloc_zero_array(ctx, char, destlen);
if (ob == NULL) {
errno = ENOMEM;
return false;
}
+ *converted_size = destlen;
*dest = ob;
- *converted_size = 0;
return true;
}
@@ -560,6 +570,16 @@ bool convert_string_talloc(TALLOC_CTX *ctx, charset_t
from, charset_t to,
ob[destlen] = '\0';
ob[destlen+1] = '\0';
+ /* Ensure we can never return a *converted_size of zero. */
+ if (destlen == 0) {
+ /* This can happen from a bad iconv "use_as_is:" call. */
+ if (to == CH_UTF16LE|| to == CH_UTF16BE || to ==
CH_UTF16MUNGED) {
+ destlen = 2;
+ } else {
+ destlen = 1;
+ }
+ }
+
*converted_size = destlen;
return true;
--
Samba Shared Repository
