summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2011-05-03 13:53:30 -0700
committerJeremy Allison <jra@samba.org>2011-05-04 12:12:14 -0700
commit5c53d63348882b17f16bed0cc41f1489dcd6cf66 (patch)
tree3c9f5c24da6a42c5f2f66cfc57b4ceb5cd4f182f
parentcabd9e70e2f3ce3f617975a4d005d79121313b5f (diff)
downloadsamba-5c53d63348882b17f16bed0cc41f1489dcd6cf66.tar.gz
samba-5c53d63348882b17f16bed0cc41f1489dcd6cf66.tar.bz2
samba-5c53d63348882b17f16bed0cc41f1489dcd6cf66.zip
sasl_secret_t ends in a char [1] size. This means the extra character is implicit in the safe_strcpy. When changing to strlcpy ensure we allocate an extra char for it. This fixes a bug where secret->len+1 used with safe_strcpy could actually write into secret->len+2.
-rw-r--r--source4/auth/gensec/cyrus_sasl.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c
index bd7664878c..4a4422645d 100644
--- a/source4/auth/gensec/cyrus_sasl.c
+++ b/source4/auth/gensec/cyrus_sasl.c
@@ -99,12 +99,12 @@ static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
*psecret = NULL;
return SASL_OK;
}
- secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password));
+ secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password)+1);
if (!secret) {
return SASL_NOMEM;
}
secret->len = strlen(password);
- safe_strcpy((char*)secret->data, password, secret->len+1);
+ strlcpy((char*)secret->data, password, secret->len+1);
*psecret = secret;
return SASL_OK;
}