From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 28 Feb 2023 03:55:06 +0000 (+1300)
Subject: auth/credentials: Fix off-by-one buffer write
X-Git-Tag: talloc-2.4.1~1523
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=262b40d83304d219c4ffb4eadebb8d51c02ba025;p=thirdparty%2Fsamba.git

auth/credentials: Fix off-by-one buffer write

If p == pass + 127, assigning to '*++p' writes beyond the array.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/auth/credentials/credentials.c b/auth/credentials/credentials.c
index 67644e806e4..917b05a547a 100644
--- a/auth/credentials/credentials.c
+++ b/auth/credentials/credentials.c
@@ -1556,7 +1556,7 @@ _PUBLIC_ bool cli_credentials_parse_password_fd(struct cli_credentials *credenti
 	char pass[128];
 
 	for(p = pass, *p = '\0'; /* ensure that pass is null-terminated */
-		p && p - pass < sizeof(pass);) {
+		p && p - pass < sizeof(pass) - 1;) {
 		switch (read(fd, p, 1)) {
 		case 1:
 			if (*p != '\n' && *p != '\0') {