Fix potential truncation of Kerberos credentials (Issue #5435)

diff --git a/CHANGES.md b/CHANGES.md
index 6c04aeb5af27ca132229101282c644897b339e8e..fe382cef11510994ab1c9a620f27c9135067a695 100644 (file)
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -1,4 +1,4 @@
-CHANGES - 2.3b6 - 2018-11-08
+CHANGES - 2.3b6 - 2018-11-14
 ============================
 
 Changes in CUPS v2.3b6
@@ -37,6 +37,7 @@ Changes in CUPS v2.3b6
   CloseUI/JCLCloseUI keywords (Issue #5381)
 - The scheduler now reports the actual location of the log file (Issue #5398)
 - Added a USB quirk rule (Issue #5420)
+- Kerberos credentials might be truncated (Issue #5435)
 - The scheduler was being backgrounded on macOS, causing applications to spin
   (rdar://40436080)
 - The scheduler did not validate that required initial request attributes were

diff --git a/cups/auth.c b/cups/auth.c
index 4c509bbc716291cfe4fd4a04de391113de9014d5..0a490948c8221756c007e0731df261f19624721e 100644 (file)
--- a/cups/auth.c
+++ b/cups/auth.c
@@ -442,7 +442,7 @@ _cupsSetNegotiateAuthString(
     */
 
     int authsize = 10 +                        /* "Negotiate " */
-                  (int)output_token.length * 4 / 3 + 1 + 1;
+                  (int)((output_token.length * 4 / 3 + 3) & ~3) + 1;
                                        /* Base64 + nul */
 
     httpSetAuthString(http, NULL, NULL);