From: Kevin McCarthy <kevin@8t8.us>
Date: Sat, 14 Apr 2018 03:39:35 +0000 (-0700)
Subject: Improve gss debug printing of status_string.
X-Git-Tag: mutt-1-9-5-rel~1
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=ceb0534db7882cd4ad8a0b9a620ea7db703d9215;p=mutt

Improve gss debug printing of status_string.

Commit f52ee2f7 ensured the debug strings were properly '\0'
terminated.  However, it did not prevent the strncpy from reading past
the end of the status_string.value data; it simply capped it
afterwards.  Improve the code so it only reads up to
status_string.length without overwriting the buffer.
---

diff --git a/imap/auth_gss.c b/imap/auth_gss.c
index d7a366d2..7d6d080a 100644
--- a/imap/auth_gss.c
+++ b/imap/auth_gss.c
@@ -48,6 +48,7 @@ static void print_gss_error(OM_uint32 err_maj, OM_uint32 err_min)
 	gss_buffer_desc status_string;
 	char buf_maj[512];
 	char buf_min[512];
+        size_t status_len;
 	
 	do
 	{
@@ -59,9 +60,11 @@ static void print_gss_error(OM_uint32 err_maj, OM_uint32 err_min)
 					       &status_string);
 		if (GSS_ERROR(maj_stat))
 			break;
-		strfcpy(buf_maj, (char*) status_string.value, sizeof(buf_maj));
-                if (status_string.length < sizeof(buf_maj))
-                  buf_maj[status_string.length] = '\0';
+                status_len = status_string.length;
+                if (status_len >= sizeof(buf_maj))
+                        status_len = sizeof(buf_maj) - 1;
+		strncpy(buf_maj, (char*) status_string.value, status_len);
+                buf_maj[status_len] = '\0';
 		gss_release_buffer(&min_stat, &status_string);
 		
 		maj_stat = gss_display_status (&min_stat,
@@ -72,9 +75,11 @@ static void print_gss_error(OM_uint32 err_maj, OM_uint32 err_min)
 					       &status_string);
 		if (!GSS_ERROR(maj_stat))
 		{
-			strfcpy(buf_min, (char*) status_string.value, sizeof(buf_min));
-                        if (status_string.length < sizeof(buf_min))
-                          buf_min[status_string.length] = '\0';
+                        status_len = status_string.length;
+                        if (status_len >= sizeof(buf_min))
+                                status_len = sizeof(buf_min) - 1;
+			strncpy(buf_min, (char*) status_string.value, status_len);
+                        buf_min[status_len] = '\0';
 			gss_release_buffer(&min_stat, &status_string);
 		}
 	} while (!GSS_ERROR(maj_stat) && msg_ctx != 0);