|
We use ber_flatten2 in an unusual way, but I think this
issue is generic int ber_flatten2( BerElement
*ber, struct
berval *bv, int
alloc ) { … /* copy the berval */ ber_len_t len = ber_pvt_ber_write( ber ); if ( alloc ) { bv->bv_val
= (char *) ber_memalloc_x( len + 1, ber->ber_memctx ); if
( bv->bv_val == NULL ) { return
-1; } AC_MEMCPY(
bv->bv_val, ber->ber_buf, len ); } else { bv->bv_val
= ber->ber_buf; } bv->bv_val[len] = '\0'; <- ???? bv->bv_len = len; The problem I have is a crash, because of the
bv->bv_val[len] = ‘\0’ when alloc is set to zero, AND the buffer
that was passed in was generated by ber_realloc, which did not leave an extra byte
at the end, resulting in a write beyond the allocated memory block. The questions I have are: 1) Is the zero terminator really necessary? 2) If so, seems like it should only be
don if we actually allocated a new buffer (which does leave one byte at the
end). Thanks Dave Daugherty Centrify Corp. BTW I this is my first post here, so let me know |