BUGFIX when converting from safe_strcpy to strlcpy.

We must have a blob legth > 0 in order to safely copy
the (possibly) 16 bytes + 1 byte zero character safely.

diff --git a/source3/smbd/negprot.c b/source3/smbd/negprot.c
index 6877ccc861f0806d3b30131e8bae1e14d91fd7c5..9f201b8bee74032995d903e62c579b67651b75c8 100644 (file)
--- a/source3/smbd/negprot.c
+++ b/source3/smbd/negprot.c
@@ -234,6 +234,10 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn)
                SAFE_FREE(host_princ_s);
        }
 
+       if (blob.length == 0 || blob.data == NULL) {
+               return data_blob_null;
+       }
+
        blob_out = data_blob_talloc(ctx, NULL, 16 + blob.length);
        if (blob_out.data == NULL) {
                data_blob_free(&blob);
@@ -245,7 +249,7 @@ DATA_BLOB negprot_spnego(TALLOC_CTX *ctx, struct smbd_server_connection *sconn)
        checked_strlcpy(unix_name, global_myname(), sizeof(unix_name));
        strlower_m(unix_name);
        push_ascii_nstring(dos_name, unix_name);
-       safe_strcpy((char *)blob_out.data, dos_name, 16);
+       strlcpy((char *)blob_out.data, dos_name, 17);
 
 #ifdef DEVELOPER
        /* Fix valgrind 'uninitialized bytes' issue. */