If the binding string ends with "[", we were setting options to an
empty string, then asking for 'options[strlen(options)-1]', which
UBSan dosn't like because the offset evaluates to (size_t)0xFFFFF...
causing pointer overflow.
I believe this is actually well defined in practice, but we don't want
to be in the habit of leaving sanitiser warnings in code parsing
untrusted strings.
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
p = strchr(s, '[');
if (p) {
- *p = '\0';
- options = p + 1;
- if (options[strlen(options)-1] != ']') {
+ char *q = p + strlen(p) - 1;
+ if (*q != ']') {
talloc_free(b);
return NT_STATUS_INVALID_PARAMETER_MIX;
}
- options[strlen(options)-1] = 0;
+ *p = '\0';
+ *q = '\0';
+ options = p + 1;
}
p = strchr(s, '@');