diff options
author | Gregor Beck <gbeck@sernet.de> | 2011-07-05 11:54:58 +0200 |
---|---|---|
committer | Michael Adam <obnox@samba.org> | 2011-08-15 17:15:14 +0200 |
commit | 39f9c854ae258424deea7fcc004077404149dfe5 (patch) | |
tree | b4950b9dbce35c6e987d08968ca3c42ecd009857 | |
parent | 043c5219328cfdac0c227fb7ee70dc185277f186 (diff) | |
download | samba-39f9c854ae258424deea7fcc004077404149dfe5.tar.gz samba-39f9c854ae258424deea7fcc004077404149dfe5.tar.bz2 samba-39f9c854ae258424deea7fcc004077404149dfe5.zip |
s3: avoid reading past the end of buffer in tdb_unpack 'P' if zero termination is missing
Signed-off-by: Michael Adam <obnox@samba.org>
-rw-r--r-- | source3/lib/util_tdb.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/source3/lib/util_tdb.c b/source3/lib/util_tdb.c index ade46bf18e..65e46119b4 100644 --- a/source3/lib/util_tdb.c +++ b/source3/lib/util_tdb.c @@ -410,7 +410,9 @@ int tdb_unpack(const uint8 *buf, int bufsize, const char *fmt, ...) case 'P': /* null-terminated string */ /* Return malloc'ed string. */ ps = va_arg(ap,char **); - len = strlen((const char *)buf) + 1; + len = strnlen((const char *)buf, bufsize) + 1; + if (bufsize < len) + goto no_space; *ps = SMB_STRDUP((const char *)buf); break; case 'f': /* null-terminated string */ |