r23455: These buffers may not be null terminated. Ensure we don't run past the

end of teh buffer printing the error strings.

Andrew Bartlett
(This used to be commit 37e7070ca92e2f48fa02f7fd6736e5b26520f559)

diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index 5596949edae5aa6c79b47c5418891f6c4017c7c0..8a629405da6b28ddec8895d2fa94eb3cb8bdaef5 100644 (file)
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -87,18 +87,29 @@ static char *gssapi_error_string(TALLOC_CTX *mem_ctx,
        OM_uint32 disp_min_stat, disp_maj_stat;
        gss_buffer_desc maj_error_message;
        gss_buffer_desc min_error_message;
+       char *maj_error_string, *min_error_string;
        OM_uint32 msg_ctx = 0;
 
        char *ret;
 
        maj_error_message.value = NULL;
        min_error_message.value = NULL;
+       maj_error_message.length = 0;
+       min_error_message.length = 0;
        
        disp_maj_stat = gss_display_status(&disp_min_stat, maj_stat, GSS_C_GSS_CODE,
                           mech, &msg_ctx, &maj_error_message);
        disp_maj_stat = gss_display_status(&disp_min_stat, min_stat, GSS_C_MECH_CODE,
                           mech, &msg_ctx, &min_error_message);
-       ret = talloc_asprintf(mem_ctx, "%s: %s", (char *)maj_error_message.value, (char *)min_error_message.value);
+       
+       maj_error_string = talloc_strndup(mem_ctx, (char *)maj_error_message.value, maj_error_message.length);
+
+       min_error_string = talloc_strndup(mem_ctx, (char *)min_error_message.value, min_error_message.length);
+
+       ret = talloc_asprintf(mem_ctx, "%s: %s", maj_error_string, min_error_string);
+
+       talloc_free(maj_error_string);
+       talloc_free(min_error_string);
 
        gss_release_buffer(&disp_min_stat, &maj_error_message);
        gss_release_buffer(&disp_min_stat, &min_error_message);