diff options
| author | Jeremy Allison <jra@samba.org> | 2011-05-03 13:53:30 -0700 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2011-05-04 12:12:14 -0700 |
| commit | 5c53d63348882b17f16bed0cc41f1489dcd6cf66 (patch) | |
| tree | 3c9f5c24da6a42c5f2f66cfc57b4ceb5cd4f182f | |
| parent | cabd9e70e2f3ce3f617975a4d005d79121313b5f (diff) | |
| download | samba-5c53d63348882b17f16bed0cc41f1489dcd6cf66.tar.gz samba-5c53d63348882b17f16bed0cc41f1489dcd6cf66.tar.bz2 samba-5c53d63348882b17f16bed0cc41f1489dcd6cf66.zip | |
sasl_secret_t ends in a char [1] size. This means the extra character is implicit in the safe_strcpy. When changing to strlcpy ensure we allocate an extra char for it. This fixes a bug where secret->len+1 used with safe_strcpy could actually write into secret->len+2.
| -rw-r--r-- | source4/auth/gensec/cyrus_sasl.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c index bd7664878c..4a4422645d 100644 --- a/source4/auth/gensec/cyrus_sasl.c +++ b/source4/auth/gensec/cyrus_sasl.c @@ -99,12 +99,12 @@ static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id, *psecret = NULL; return SASL_OK; } - secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password)); + secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password)+1); if (!secret) { return SASL_NOMEM; } secret->len = strlen(password); - safe_strcpy((char*)secret->data, password, secret->len+1); + strlcpy((char*)secret->data, password, secret->len+1); *psecret = secret; return SASL_OK; } |