s3-lib/util: fix read across end of namelist string

If the namelist is not terminated with a '/', we try to read
the next character after the string termination '\0'.

Signed-off-by: Björn Baumbach <bb@sernet.de>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Apr  8 21:44:16 CEST 2014 on sn-devel-104

diff --git a/source3/lib/util.c b/source3/lib/util.c
index 374bc5d5c9206bcda994e4d657bed6614de46826..d061200bcd446e7e07dd7378312ab56cd3c89d5c 100644 (file)
--- a/source3/lib/util.c
+++ b/source3/lib/util.c
@@ -1035,6 +1035,7 @@ void set_namearray(name_compare_entry **ppname_array, const char *namelist_in)
 {
        char *name_end;
        char *namelist;
+       char *namelist_end;
        char *nameptr;
        int num_entries = 0;
        int i;
@@ -1051,12 +1052,14 @@ void set_namearray(name_compare_entry **ppname_array, const char *namelist_in)
        }
        nameptr = namelist;
 
+       namelist_end = &namelist[strlen(namelist)];
+
        /* We need to make two passes over the string. The
                first to count the number of elements, the second
                to split it.
        */
 
-       while(*nameptr) {
+       while(nameptr <= namelist_end) {
                if ( *nameptr == '/' ) {
                        /* cope with multiple (useless) /s) */
                        nameptr++;
@@ -1090,7 +1093,7 @@ void set_namearray(name_compare_entry **ppname_array, const char *namelist_in)
        /* Now copy out the names */
        nameptr = namelist;
        i = 0;
-       while(*nameptr) {
+       while(nameptr <= namelist_end) {
                if ( *nameptr == '/' ) {
                        /* cope with multiple (useless) /s) */
                        nameptr++;