From 1137dfd5497b272284accca8fd2953eb9985c77b Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 13 Nov 2012 18:10:42 -0700
Subject: [PATCH] basic_smb_auth: Buffer overrun.

A reply string expanding to >8KB after shell escaping can cause the helper
memory corruption or crash as output buffer is overrun.

 Detected by Coverity Scan. Issue 740411
---
 helpers/basic_auth/SMB/basic_smb_auth.cc | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/helpers/basic_auth/SMB/basic_smb_auth.cc b/helpers/basic_auth/SMB/basic_smb_auth.cc
index 568f0a6db6..c89dc4ea30 100644
--- a/helpers/basic_auth/SMB/basic_smb_auth.cc
+++ b/helpers/basic_auth/SMB/basic_smb_auth.cc
@@ -82,7 +82,11 @@ print_esc(FILE * p, char *s)
     int i = 0;
 
     for (t = s; *t != '\0'; ++t) {
-        if (i > HELPER_INPUT_BUFFER-2) {
+        /*
+         * NP: The shell escaping permits 'i' to jump up to 2 octets per loop,
+         *     so ensure we have at least 3 free.
+         */
+        if (i > HELPER_INPUT_BUFFER-3) {
             buf[i] = '\0';
             (void) fputs(buf, p);
             i = 0;
-- 
2.47.3