s3:registry: fix invalid write in iconvert_talloc()

For a non-preallocated dest-string and sourcestring of len < 2,
(one or both of the) final two two zero-bytes would be written
after the end of the allocated dest-string. The sourcelen did
not include the source string terminator. For longer strings,
this was not a problem because the dest-string would have been
reallocated in the convert-loop. This is fixed now by allocating
two extra bytes for the terminating 0-bytes that are needed anyways
in the initial allocation.

Pair-Programmed-With: Gregor Beck <gbeck@sernet.de>

diff --git a/source3/registry/reg_parse_internal.c b/source3/registry/reg_parse_internal.c
index 47346623020d1e7e36a11756a9819b6e472705b9..dedbe123d864139a3bc7fa321b2ccc513afb7991 100644 (file)
--- a/source3/registry/reg_parse_internal.c
+++ b/source3/registry/reg_parse_internal.c
@@ -42,8 +42,11 @@ size_t iconvert_talloc(const void* ctx,
        dst = *pdst;
 
        if (dst == NULL) {
-               /* dstlen = 2*srclen + 2; */
-               dstlen = srclen;
+               /*
+                * Allocate an extra two bytes for the
+                * terminating zero.
+                */
+               dstlen = srclen + 2;
                dst = (char *)talloc_size(ctx, dstlen);
                if (dst == NULL) {
                        DEBUG(0,("iconver_talloc no mem\n"));