From 645c2c39f266f621dfc0ad66a9dc320cd5f7da03 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 30 Nov 2012 04:04:55 -0700
Subject: [PATCH] basic_smb_auth: Buffer overrun.

A reply string expanding to >8KB after shell escaping can cause the helper
memory corruption or crash as output buffer is overrun.

 Detected by Coverity Scan. Issue 740411
---
 helpers/basic_auth/SMB/basic_smb_auth.cc | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/helpers/basic_auth/SMB/basic_smb_auth.cc b/helpers/basic_auth/SMB/basic_smb_auth.cc
index 70782802b8..b5777463ab 100644
--- a/helpers/basic_auth/SMB/basic_smb_auth.cc
+++ b/helpers/basic_auth/SMB/basic_smb_auth.cc
@@ -82,8 +82,12 @@ print_esc(FILE * p, char *s)
     char *t;
     int i = 0;
 
-    for (t = s; *t != '\0'; t++) {
-        if (i > HELPER_INPUT_BUFFER-2) {
+    for (t = s; *t != '\0'; ++t) {
+        /*
+         * NP: The shell escaping permits 'i' to jump up to 2 octets per loop,
+         *     so ensure we have at least 3 free.
+         */
+        if (i > HELPER_INPUT_BUFFER-3) {
             buf[i] = '\0';
             (void) fputs(buf, p);
             i = 0;
-- 
2.47.2