CDRIVER-3486 modified _mongoc_cluster_auth_node_sspi to remove the 4096 byte limit on SASL payloads received from the server. buf was changed from a fixed 4096 buffer to a dynamically allocated one. However, the base64 string was copied without the NULL terminator. And buf is subsequently base64 decoded in _mongoc_sspi_base64_decode. This uses CryptStringToBinaryA to decode:

if (CryptStringToBinaryA (
          value, 0, CRYPT_STRING_BASE64, NULL, rlen, NULL, NULL)) {

The second argument is the input length, which is explicitly 0, and the expectation being that value (aka buf) is NULL terminated.

As a note, I believe this may have been buggy prior to the changes of CDRIVER-3486 as well. Though buf was initially a zero-initialized buffer of 4096 bytes, it was not zero-initialized every iteration.