s3: avoid reading past the end of buffer in tdb_unpack 'f' if zero termination is...
authorGregor Beck <gbeck@sernet.de>
Tue, 5 Jul 2011 09:55:34 +0000 (11:55 +0200)
committerMichael Adam <obnox@samba.org>
Mon, 15 Aug 2011 15:15:14 +0000 (17:15 +0200)
Signed-off-by: Michael Adam <obnox@samba.org>
source3/lib/util_tdb.c

index 65e4611..fb586f4 100644 (file)
@@ -417,7 +417,7 @@ int tdb_unpack(const uint8 *buf, int bufsize, const char *fmt, ...)
                        break;
                case 'f': /* null-terminated string */
                        s = va_arg(ap,char *);
-                       len = strlen((const char *)buf) + 1;
+                       len = strnlen((const char *)buf, bufsize) + 1;
                        if (bufsize < len || len > sizeof(fstring))
                                goto no_space;
                        memcpy(s, buf, len);