miltertest: Buffer overflow when replacing the message body

[glts]

miltertest crashes when a milter replaces the message body with a message body larger than 1 kilobyte or so. It looks like the cause is a buffer overflow in miltertest. To reproduce:

overflow.c:

#include <assert.h>
#include <string.h>
#include "libmilter/mfapi.h"

// Crashes with size 1033, works when decreased:
#define BODYSIZE 1033

static sfsistat overflow_eom(SMFICTX *ctx) {
    unsigned char body[BODYSIZE];
    memset(body, '.', BODYSIZE);

    int status = smfi_replacebody(ctx, body, BODYSIZE);
    assert(status == MI_SUCCESS);

    return SMFIS_CONTINUE;
}

int main(void) {
    int status = smfi_setconn("inet:3000@localhost");
    assert(status == MI_SUCCESS);

    status = smfi_register((struct smfiDesc) {
        .xxfi_version = SMFI_VERSION,
        .xxfi_flags = SMFIF_CHGBODY,
        .xxfi_eom = overflow_eom,
    });
    assert(status == MI_SUCCESS);

    return smfi_main();
}

overflow.lua:

conn = mt.connect("inet:3000@localhost")
assert(conn)

local err = mt.eom(conn)
assert(err == nil, err)
assert(mt.getreply(conn) == SMFIR_CONTINUE)

Compile the milter with something like c99 -Wall overflow.c -lmilter -o overflow, then start the milter with ./overflow and run the test:

$ miltertest -s overflow.lua
*** stack smashing detected ***: <unknown> terminated
Aborted (core dumped)