s3: net: Harden srprs_str() against memcmp overread.

Found by Michael Hanselmann using fuzzing tools

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13842

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source3/lib/srprs.c b/source3/lib/srprs.c
index 02f4c80e27b0bab0921a864a31ddb50c746faed7..67ada3796f0effa0b93e63c0878fb8c5eecd423e 100644 (file)
--- a/source3/lib/srprs.c
+++ b/source3/lib/srprs.c
@@ -46,9 +46,17 @@ bool srprs_char(const char** ptr, char c) {
 
 bool srprs_str(const char** ptr, const char* str, ssize_t len)
 {
+       /* By definition *ptr must be null terminated. */
+       size_t ptr_len = strlen(*ptr);
+
        if (len == -1)
                len = strlen(str);
 
+       /* Don't memcmp read past end of buffer. */
+       if (len > ptr_len) {
+               return false;
+       }
+
        if (memcmp(*ptr, str, len) == 0) {
                *ptr += len;
                return true;