From 39f9c854ae258424deea7fcc004077404149dfe5 Mon Sep 17 00:00:00 2001
From: Gregor Beck <gbeck@sernet.de>
Date: Tue, 5 Jul 2011 11:54:58 +0200
Subject: s3: avoid reading past the end of buffer in tdb_unpack 'P' if zero
 termination is missing

Signed-off-by: Michael Adam <obnox@samba.org>
---
 source3/lib/util_tdb.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/source3/lib/util_tdb.c b/source3/lib/util_tdb.c
index ade46bf18e..65e46119b4 100644
--- a/source3/lib/util_tdb.c
+++ b/source3/lib/util_tdb.c
@@ -410,7 +410,9 @@ int tdb_unpack(const uint8 *buf, int bufsize, const char *fmt, ...)
 		case 'P': /* null-terminated string */
 			/* Return malloc'ed string. */
 			ps = va_arg(ap,char **);
-			len = strlen((const char *)buf) + 1;
+			len = strnlen((const char *)buf, bufsize) + 1;
+			if (bufsize < len)
+				goto no_space;
 			*ps = SMB_STRDUP((const char *)buf);
 			break;
 		case 'f': /* null-terminated string */
-- 
cgit