How buggy this little piece of code could be? Repair strnvis() buffersize
[dragonfly.git] / crypto / openssh-5 / sshconnect2.c
index 868f269..f640592 100644 (file)
@@ -386,8 +386,8 @@ input_userauth_banner(int type, u_int32_t seq, void *ctxt)
        if (len > 0 && options.log_level >= SYSLOG_LEVEL_INFO) {
                if (len > 65536)
                        len = 65536;
-               msg = xmalloc(len * 4); /* max expansion from strnvis() */
-               strnvis(msg, raw, len * 4, VIS_SAFE|VIS_OCTAL);
+               msg = xmalloc(len * 4 + 1); /* max expansion from strnvis() */
+               strnvis(msg, raw, len * 4 + 1, VIS_SAFE|VIS_OCTAL);
                fprintf(stderr, "%s", msg);
                xfree(msg);
        }