sasl_secret_t ends in a char [1] size. This means the extra character is implicit in the safe_strcpy. When changing to strlcpy ensure we allocate an extra char for it. This fixes a bug where secret->len+1 used with safe_strcpy could actually write into secret->len+2.

1 files changed, 2 insertions, 2 deletions

diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c
index bd7664878c..4a4422645d 100644
--- a/source4/auth/gensec/cyrus_sasl.c
+++ b/source4/auth/gensec/cyrus_sasl.c
@@ -99,12 +99,12 @@ static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
 		*psecret = NULL;
 		return SASL_OK;
 	}
-	secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password));
+	secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password)+1);
 	if (!secret) {
 		return SASL_NOMEM;
 	}
 	secret->len = strlen(password);
-	safe_strcpy((char*)secret->data, password, secret->len+1);
+	strlcpy((char*)secret->data, password, secret->len+1);
 	*psecret = secret;
 	return SASL_OK;
 }