From: Alexander Bainbridge-Sedivy <alex.bainbridge@inkbridge.io>
Date: Fri, 29 May 2026 14:07:57 +0000 (-0400)
Subject: lib/ldap/directory: fix strncmp prefix-match false positives in server capability... 
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=c777837e00a9317a48c236aaf8c45f03bd2643d4;p=thirdparty%2Ffreeradius-server.git

lib/ldap/directory: fix strncmp prefix-match false positives in server capability detection
---

diff --git a/src/lib/ldap/directory.c b/src/lib/ldap/directory.c
index 6c4b6a7dbe2..704ab8d3d27 100644
--- a/src/lib/ldap/directory.c
+++ b/src/lib/ldap/directory.c
@@ -149,7 +149,8 @@ int fr_ldap_directory_result_parse(fr_ldap_directory_t *directory, LDAP *handle,
 	if (values) {
 		num = ldap_count_values_len(values);
 		for (i = 0; i < num; i++) {
-			if (strncmp("OpenLDAProotDSE", values[i]->bv_val, values[i]->bv_len) == 0) {
+			if ((values[i]->bv_len == sizeof("OpenLDAProotDSE") - 1) &&
+			    (memcmp("OpenLDAProotDSE", values[i]->bv_val, values[i]->bv_len) == 0)) {
 				directory->type = FR_LDAP_DIRECTORY_OPENLDAP;
 			}
 		}
@@ -192,17 +193,20 @@ found:
 	if (values) {
 		num = ldap_count_values_len(values);
 		for (i = 0; i < num; i++) {
-			if (strncmp(LDAP_CONTROL_SYNC, values[i]->bv_val, values[i]->bv_len) == 0) {
+			if ((values[i]->bv_len == strlen(LDAP_CONTROL_SYNC)) &&
+			    (memcmp(LDAP_CONTROL_SYNC, values[i]->bv_val, values[i]->bv_len) == 0)) {
 				INFO("Directory supports RFC 4533");
 				directory->sync_type = FR_LDAP_SYNC_RFC4533;
 				break;
 			}
-			if (strncmp(LDAP_SERVER_NOTIFICATION_OID, values[i]->bv_val, values[i]->bv_len) == 0) {
+			if ((values[i]->bv_len == strlen(LDAP_SERVER_NOTIFICATION_OID)) &&
+			    (memcmp(LDAP_SERVER_NOTIFICATION_OID, values[i]->bv_val, values[i]->bv_len) == 0)) {
 				INFO("Directory supports LDAP_SERVER_NOTIFICATION_OID");
 				directory->sync_type = FR_LDAP_SYNC_ACTIVE_DIRECTORY;
 				break;
 			}
-			if (strncmp(LDAP_CONTROL_PERSIST_REQUEST, values[i]->bv_val, values[i]->bv_len) == 0) {
+			if ((values[i]->bv_len == strlen(LDAP_CONTROL_PERSIST_REQUEST)) &&
+			    (memcmp(LDAP_CONTROL_PERSIST_REQUEST, values[i]->bv_val, values[i]->bv_len) == 0)) {
 				INFO("Directory supports persistent search");
 				directory->sync_type = FR_LDAP_SYNC_PERSISTENT_SEARCH;
 				break;