From e7936223237b6e20e671479fdb86d9d5f390eaa2 Mon Sep 17 00:00:00 2001
From: Daniel Markstedt <daniel@mindani.net>
Date: Fri, 8 May 2026 10:30:46 +0200
Subject: [PATCH] CVE-2026-44067: libatalk/vfs: bound EA header parsing

Reported-by: @00redbeer
Signed-off-by: Daniel Markstedt <daniel@mindani.net>
---
 libatalk/vfs/ea_ad.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/libatalk/vfs/ea_ad.c b/libatalk/vfs/ea_ad.c
index 8e39f4127..6792b92a7 100644
--- a/libatalk/vfs/ea_ad.c
+++ b/libatalk/vfs/ea_ad.c
@@ -164,12 +164,20 @@ static int unpack_header(struct ea *ea)
     }
 
     buf = ea->ea_data + EA_HEADER_SIZE;
+    const char *buf_end = ea->ea_data + ea->ea_size;
 
     while (count < ea->ea_count) {
+        if (buf + 5 > buf_end) { /* 4-byte size field + at least null terminator */
+            LOG(log_error, logtype_afpd, "unpack_header: EA header overrun at entry %u",
+                count);
+            ret = -1;
+            goto exit;
+        }
+
         memcpy(&uint32, buf, 4); /* EA size */
         buf += 4;
         (*(ea->ea_entries))[count].ea_size = ntohl(uint32);
-        (*(ea->ea_entries))[count].ea_name = strdup(buf);
+        (*(ea->ea_entries))[count].ea_name = strndup(buf, buf_end - buf);
 
         if (!(*(ea->ea_entries))[count].ea_name) {
             LOG(log_error, logtype_afpd, "unpack_header: OOM");