- if (server_xauth && server_xauth->data &&
- !memcmp(buf, server_xauth->data, auth_data_len))
- {
+ if (server_xauth && server_xauth->data)
+ {
+ /* Do a compare without comprising info about
+ the size of the cookie */
+ auth_mismatches =
+ ( auth_data_len ^
+ server_xauth->data_length );
+
+ for(auth_data_pos=0; auth_data_pos < auth_data_len; ++auth_data_pos)
+ auth_mismatches |=
+ ( buf[auth_data_pos] ^
+ server_xauth->data[auth_data_pos % server_xauth->data_length]);
+
+ if (auth_mismatches == 0)