From: Daniil Sarafannikov <sarafannikovda@sgu.ru>
Date: Mon, 18 May 2026 12:28:01 +0000 (+0400)
Subject: util_sd: fix incorrect strings match
X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=refs%2Fremotes%2Fgitlab%2Fmaster;p=thirdparty%2Fsamba.git

util_sd: fix incorrect strings match

parse_ace() accepted strings like "ALLOWED123" as valid ACE
types because strncmp() compared only prefixes without
NULL terminators.

Switch to exact string comparison to ensure only valid
ACE type names are accepted.

Pair-Programmed-With: Dmitry Mikhalchenko <tascad@altlinux.org>
Signed-off-by: Daniil Sarafannikov <sarafannikovda@sgu.ru>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Wed Jun  3 08:26:04 UTC 2026 on atb-devel-224
---

diff --git a/source3/lib/util_sd.c b/source3/lib/util_sd.c
index 86e375cb0dd..50c47c2ef8d 100644
--- a/source3/lib/util_sd.c
+++ b/source3/lib/util_sd.c
@@ -432,9 +432,9 @@ bool parse_ace(struct cli_state *cli, struct security_ace *ace,
 		return False;
 	}
 
-	if (strncmp(tok, "ALLOWED", strlen("ALLOWED")) == 0) {
+	if (strcmp(tok, "ALLOWED") == 0) {
 		atype = SEC_ACE_TYPE_ACCESS_ALLOWED;
-	} else if (strncmp(tok, "DENIED", strlen("DENIED")) == 0) {
+	} else if (strcmp(tok, "DENIED") == 0) {
 		atype = SEC_ACE_TYPE_ACCESS_DENIED;
 
 	} else if (strnequal(tok, "0x", 2)) {