basic_smb_auth: Buffer overrun.

A reply string expanding to >8KB after shell escaping can cause the helper
memory corruption or crash as output buffer is overrun.

 Detected by Coverity Scan. Issue 740411

diff --git a/helpers/basic_auth/SMB/basic_smb_auth.cc b/helpers/basic_auth/SMB/basic_smb_auth.cc
index 70782802b8d92162b29b938b31640eb396d21a65..b5777463abdaf01beec9d5776cae84b508f044e5 100644 (file)
--- a/helpers/basic_auth/SMB/basic_smb_auth.cc
+++ b/helpers/basic_auth/SMB/basic_smb_auth.cc
@@ -82,8 +82,12 @@ print_esc(FILE * p, char *s)
     char *t;
     int i = 0;
 
-    for (t = s; *t != '\0'; t++) {
-        if (i > HELPER_INPUT_BUFFER-2) {
+    for (t = s; *t != '\0'; ++t) {
+        /*
+         * NP: The shell escaping permits 'i' to jump up to 2 octets per loop,
+         *     so ensure we have at least 3 free.
+         */
+        if (i > HELPER_INPUT_BUFFER-3) {
             buf[i] = '\0';
             (void) fputs(buf, p);
             i = 0;