From 70f59d3fff7af8e1a29b53877e07e401e5dd7a17 Mon Sep 17 00:00:00 2001
From: Daniil Sarafannikov <sarafannikovda@sgu.ru>
Date: Mon, 18 May 2026 16:28:01 +0400
Subject: [PATCH] util_sd: fix incorrect strings match

parse_ace() accepted strings like "ALLOWED123" as valid ACE
types because strncmp() compared only prefixes without
NULL terminators.

Switch to exact string comparison to ensure only valid
ACE type names are accepted.

Pair-Programmed-With: Dmitry Mikhalchenko <tascad@altlinux.org>
Signed-off-by: Daniil Sarafannikov <sarafannikovda@sgu.ru>
Reviewed-by: Anoop C S <anoopcs@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Anoop C S <anoopcs@samba.org>
Autobuild-Date(master): Wed Jun  3 08:26:04 UTC 2026 on atb-devel-224
---
 source3/lib/util_sd.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source3/lib/util_sd.c b/source3/lib/util_sd.c
index 86e375cb0dd..50c47c2ef8d 100644
--- a/source3/lib/util_sd.c
+++ b/source3/lib/util_sd.c
@@ -432,9 +432,9 @@ bool parse_ace(struct cli_state *cli, struct security_ace *ace,
 		return False;
 	}
 
-	if (strncmp(tok, "ALLOWED", strlen("ALLOWED")) == 0) {
+	if (strcmp(tok, "ALLOWED") == 0) {
 		atype = SEC_ACE_TYPE_ACCESS_ALLOWED;
-	} else if (strncmp(tok, "DENIED", strlen("DENIED")) == 0) {
+	} else if (strcmp(tok, "DENIED") == 0) {
 		atype = SEC_ACE_TYPE_ACCESS_DENIED;
 
 	} else if (strnequal(tok, "0x", 2)) {
-- 
2.47.3