s3: avoid reading past the end of buffer in tdb_unpack 'P' if zero termination is...

author Gregor Beck <gbeck@sernet.de>

Tue, 5 Jul 2011 09:54:58 +0000 (11:54 +0200)

committer Michael Adam <obnox@samba.org>

Mon, 15 Aug 2011 15:15:14 +0000 (17:15 +0200)
author Gregor Beck <gbeck@sernet.de>
Tue, 5 Jul 2011 09:54:58 +0000 (11:54 +0200)
committer Michael Adam <obnox@samba.org>
Mon, 15 Aug 2011 15:15:14 +0000 (17:15 +0200)
diff --git a/source3/lib/util_tdb.c b/source3/lib/util_tdb.c

index ade46bf18ec86b89ebbdb9b1d445c06af76e70e0..65e46119b4f7a4cc78ef26eb44e39d885013e04f 100644 (file)
--- a/source3/lib/util_tdb.c
+++ b/source3/lib/util_tdb.c
@@ -410,7 +410,9 @@ int tdb_unpack(const uint8 *buf, int bufsize, const char *fmt, ...)
                 case 'P': /* null-terminated string */
                         /* Return malloc'ed string. */
                         ps = va_arg(ap,char **);
-                       len = strlen((const char *)buf) + 1;
+                       len = strnlen((const char *)buf, bufsize) + 1;
+                       if (bufsize < len)
+                               goto no_space;
                         *ps = SMB_STRDUP((const char *)buf);
                         break;
                 case 'f': /* null-terminated string */
author	Gregor Beck <gbeck@sernet.de>
	Tue, 5 Jul 2011 09:54:58 +0000 (11:54 +0200)
committer	Michael Adam <obnox@samba.org>
	Mon, 15 Aug 2011 15:15:14 +0000 (17:15 +0200)