CDRIVER-3486 modified _mongoc_cluster_auth_node_sspi to remove the 4096 byte limit on SASL payloads received from the server. buf was changed from a fixed 4096 buffer to a dynamically allocated one. However, the base64 string was copied without the NULL terminator. And buf is subsequently base64 decoded in _mongoc_sspi_base64_decode. This uses CryptStringToBinaryA to decode:
The second argument is the input length, which is explicitly 0, and the expectation being that value (aka buf) is NULL terminated.
As a note, I believe this may have been buggy prior to the changes of
CDRIVER-3486 as well. Though buf was initially a zero-initialized buffer of 4096 bytes, it was not zero-initialized every iteration.