summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGregor Beck <gbeck@sernet.de>2011-07-05 11:54:58 +0200
committerMichael Adam <obnox@samba.org>2011-08-15 17:15:14 +0200
commit39f9c854ae258424deea7fcc004077404149dfe5 (patch)
treeb4950b9dbce35c6e987d08968ca3c42ecd009857
parent043c5219328cfdac0c227fb7ee70dc185277f186 (diff)
downloadsamba-39f9c854ae258424deea7fcc004077404149dfe5.tar.gz
samba-39f9c854ae258424deea7fcc004077404149dfe5.tar.bz2
samba-39f9c854ae258424deea7fcc004077404149dfe5.zip
s3: avoid reading past the end of buffer in tdb_unpack 'P' if zero termination is missing
Signed-off-by: Michael Adam <obnox@samba.org>
-rw-r--r--source3/lib/util_tdb.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/source3/lib/util_tdb.c b/source3/lib/util_tdb.c
index ade46bf18e..65e46119b4 100644
--- a/source3/lib/util_tdb.c
+++ b/source3/lib/util_tdb.c
@@ -410,7 +410,9 @@ int tdb_unpack(const uint8 *buf, int bufsize, const char *fmt, ...)
case 'P': /* null-terminated string */
/* Return malloc'ed string. */
ps = va_arg(ap,char **);
- len = strlen((const char *)buf) + 1;
+ len = strnlen((const char *)buf, bufsize) + 1;
+ if (bufsize < len)
+ goto no_space;
*ps = SMB_STRDUP((const char *)buf);
break;
case 'f': /* null-terminated string */