Buffer overrun on data from gss_display_status()

[valtri]

After getting error from gss_display_status(), there is used more bytes from the error message buffer. According to documentation, there should be used lenght field during writing error message:

maj_status = gss_display_status ( &min_status, status_code, GSS_C_GSS_CODE, GSS_C_NO_OID, &message_context, &status_string)

printf("%.s\n", (int)status_string.length, (char )status_string.value);

gss_release_buffer(&min_status, &status_string);

Valgrind log:

==21340== Invalid read of size 1 ==21340== at 0x7F4D88D: vfprintf (vfprintf.c:1617) ==21340== by 0x7F6F3B9: vasprintf (vasprintf.c:64) ==21340== by 0x7F54C17: asprintf (asprintf.c:37) ==21340== by 0x58BD2AC: edg_wll_gss_get_error (glite_gss.c:1514) ==21340== by 0x5067EA4: edg_wll_SetErrorGss (context.c:676) ==21340== by 0x4476E5: bk_handle_connection (bkserverd.c:1227) ==21340== by 0x4E2B7C3: slave (srvbones.c:694) ==21340== by 0x4E2BC29: glite_srvbones_run (srvbones.c:166) ==21340== by 0x4497F8: main (bkserverd.c:890) ==21340== Address 0xb25dc78 is 0 bytes after a block of size 40 alloc'd ==21340== at 0x4C244E8: malloc (vg_replace_malloc.c:236) ==21340== by 0x8F0B88C: _gss_mg_get_error (context.c:88) ==21340== by 0x8F0D7B7: gss_display_status (gss_display_status.c:151) ==21340== by 0x58BD21A: edg_wll_gss_get_error (glite_gss.c:1501) ==21340== by 0x5067EA4: edg_wll_SetErrorGss (context.c:676) ==21340== by 0x4476E5: bk_handle_connection (bkserverd.c:1227) ==21340== by 0x4E2B7C3: slave (srvbones.c:694) ==21340== by 0x4E2BC29: glite_srvbones_run (srvbones.c:166) ==21340== by 0x4497F8: main (bkserverd.c:890) ==21340==

[valtri]

It seems the error from valgrind is reproducible only in heimdal flavour of L&B on Debian 6 (libglobus-gssapi-gsi4 7.5, libgssapi2-heimdal 1.4.), on server side of bkserver.

[sustr4]

Fix handed over for release