p++;
*d++ = '\0';
+
+ /*
+ * This talloc_memdup() is OK with the
+ * +1 because *d has been set to '\0'
+ * just above
+ */
dn->components[dn->comp_num].value.data = \
(uint8_t *)talloc_memdup(dn->components, dt, l + 1);
dn->components[dn->comp_num].value.length = l;
}
*d++ = '\0';
+ /*
+ * This talloc_memdup() is OK with the
+ * +1 because *d has been set to '\0'
+ * just above.
+ */
dn->components[dn->comp_num].value.length = l;
dn->components[dn->comp_num].value.data =
(uint8_t *)talloc_memdup(dn->components, dt, l + 1);
}
v.length = val.length;
- v.data = (uint8_t *)talloc_memdup(dn, val.data, v.length+1);
+
+ /*
+ * This is like talloc_memdup(dn, v.data, v.length + 1), but
+ * avoids the over-read
+ */
+ v.data = (uint8_t *)talloc_size(dn, v.length+1);
if ( ! v.data) {
talloc_free(n);
return LDB_ERR_OTHER;
}
+ memcpy(v.data, val.data, val.length);
+
+ /*
+ * Enforce NUL termination outside the stated length, as is
+ * traditional in LDB
+ */
+ v.data[v.length] = '\0';
talloc_free(dn->components[num].name);
talloc_free(dn->components[num].value.data);