Found by Michael Hanselmann using fuzzing tools
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13842
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
bool srprs_str(const char** ptr, const char* str, ssize_t len)
{
+ /* By definition *ptr must be null terminated. */
+ size_t ptr_len = strlen(*ptr);
+
if (len == -1)
len = strlen(str);
+ /* Don't memcmp read past end of buffer. */
+ if (len > ptr_len) {
+ return false;
+ }
+
if (memcmp(*ptr, str, len) == 0) {
*ptr += len;
return true;