From 70025b4a70364a68d08e2880675449e4e4729420 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 13 May 2019 13:45:10 -0700
Subject: [PATCH] s3: net: Harden srprs_str() against memcmp overread.

Found by Michael Hanselmann using fuzzing tools

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13842

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source3/lib/srprs.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/source3/lib/srprs.c b/source3/lib/srprs.c
index 02f4c80e27b..67ada3796f0 100644
--- a/source3/lib/srprs.c
+++ b/source3/lib/srprs.c
@@ -46,9 +46,17 @@ bool srprs_char(const char** ptr, char c) {
 
 bool srprs_str(const char** ptr, const char* str, ssize_t len)
 {
+	/* By definition *ptr must be null terminated. */
+	size_t ptr_len = strlen(*ptr);
+
 	if (len == -1)
 		len = strlen(str);
 
+	/* Don't memcmp read past end of buffer. */
+	if (len > ptr_len) {
+		return false;
+	}
+
 	if (memcmp(*ptr, str, len) == 0) {
 		*ptr += len;
 		return true;
-- 
2.47.3