From 5c53d63348882b17f16bed0cc41f1489dcd6cf66 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 3 May 2011 13:53:30 -0700
Subject: sasl_secret_t ends in a char [1] size. This means the extra character
 is implicit in the safe_strcpy. When changing to strlcpy ensure we allocate
 an extra char for it. This fixes a bug where secret->len+1 used with
 safe_strcpy could actually write into secret->len+2.

---
 source4/auth/gensec/cyrus_sasl.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'source4')

diff --git a/source4/auth/gensec/cyrus_sasl.c b/source4/auth/gensec/cyrus_sasl.c
index bd7664878c..4a4422645d 100644
--- a/source4/auth/gensec/cyrus_sasl.c
+++ b/source4/auth/gensec/cyrus_sasl.c
@@ -99,12 +99,12 @@ static int gensec_sasl_get_password(sasl_conn_t *conn, void *context, int id,
 		*psecret = NULL;
 		return SASL_OK;
 	}
-	secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password));
+	secret = talloc_size(gensec_security, sizeof(sasl_secret_t)+strlen(password)+1);
 	if (!secret) {
 		return SASL_NOMEM;
 	}
 	secret->len = strlen(password);
-	safe_strcpy((char*)secret->data, password, secret->len+1);
+	strlcpy((char*)secret->data, password, secret->len+1);
 	*psecret = secret;
 	return SASL_OK;
 }
-- 
cgit