Github user rudynedved commented on the pull request: https://github.com/apache/qpid-proton/commit/de3fd617210b5d5a2f2c3e384c33905dbf75ad58#commitcomment-25551886 For clarity, null terminated strings have X non-null characters and 1 null character. Therefore the memory for a null terminated string is strlen()+1. A 4 character value such as "abcd" will require memory for "abcd\0" which on most mallocs is 8 bytes. size = strlen(username+1) makes the username buffer shorter by 1. The subsequent malloc for a username of "abcd" will be strlen("bcd") or size 3 when what is needed is 4+1 or 5. The fix is "size = strlen(username) + 1". Coverity is correct.
--- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org