s3-lib/util: fix logic inside set_namearray loops.

Additional fix for bug #10544 - s3-lib/util: set_namearray reads across end of namelist string.

Not strictly needed as the initial fix addresses
the problem, but corrects the internal logic
inside the loops.

https://bugzilla.samba.org/show_bug.cgi?id=10544

Signed-off-by: Jeremy Allison <jra@samba.org>
Signed-off-by: Michael Adam <obnox@samba.org>
(cherry picked from commit 4f59580331b934b183c3344da57f2002d88d4512)

diff --git a/source3/lib/util.c b/source3/lib/util.c
index 8de5d08e4353e4872e34885f00982797461ad52c..7095da9bbd99f3f1476c223ec97636ba7b24a0e7 100644 (file)
--- a/source3/lib/util.c
+++ b/source3/lib/util.c
@@ -1096,11 +1096,13 @@ void set_namearray(name_compare_entry **ppname_array, const char *namelist_in)
 
                /* find the next '/' or consume remaining */
                name_end = strchr_m(nameptr, '/');
-               if (name_end == NULL)
-                       name_end = (char *)nameptr + strlen(nameptr);
-
-               /* next segment please */
-               nameptr = name_end + 1;
+               if (name_end == NULL) {
+                       /* Point nameptr at the terminating '\0' */
+                       nameptr += strlen(nameptr);
+               } else {
+                       /* next segment please */
+                       nameptr = name_end + 1;
+               }
                num_entries++;
        }
 
@@ -1130,10 +1132,9 @@ void set_namearray(name_compare_entry **ppname_array, const char *namelist_in)
 
                /* find the next '/' or consume remaining */
                name_end = strchr_m(nameptr, '/');
-               if (name_end)
+               if (name_end != NULL) {
                        *name_end = '\0';
-               else
-                       name_end = nameptr + strlen(nameptr);
+               }
 
                (*ppname_array)[i].is_wild = ms_has_wild(nameptr);
                if(((*ppname_array)[i].name = SMB_STRDUP(nameptr)) == NULL) {
@@ -1142,8 +1143,13 @@ void set_namearray(name_compare_entry **ppname_array, const char *namelist_in)
                        return;
                }
 
-               /* next segment please */
-               nameptr = name_end + 1;
+               if (name_end == NULL) {
+                       /* Point nameptr at the terminating '\0' */
+                       nameptr += strlen(nameptr);
+               } else {
+                       /* next segment please */
+                       nameptr = name_end + 1;
+               }
                i++;
        }