ITS#2465 fix? ber_get_next must read at least sizeof(tag)+sizeof(len)

which should be at most 8 bytes. However if we read more than the minimum
message length, we have a problem because we steal bytes from any following
message, and there is no buffer mechanism to push back excess data.
The shortest legitimate message is Unbind at 7 bytes, but there shouldn't
be anything following it. Abandon at 8 bytes is next, so always requesting
at least 8 bytes should be safe. Always requesting 9 was a problem.

Please double-check these assumptions...

libraries/liblber/io.c

@@ -510,13 +510,13 @@ ber_get_next(
 	}
 
 	while (ber->ber_rwptr > (char *)&ber->ber_tag && ber->ber_rwptr <
-		(char *)&ber->ber_len + LENSIZE*2) {
+		(char *)&ber->ber_len + LENSIZE*2 -1) {
 		ber_slen_t sblen;
 		char buf[sizeof(ber->ber_len)-1];
 		ber_len_t tlen = 0;
 
 		sblen=ber_int_sb_read( sb, ber->ber_rwptr,
-			((char *)&ber->ber_len + LENSIZE*2)-ber->ber_rwptr);
+			((char *)&ber->ber_len + LENSIZE*2 - 1)-ber->ber_rwptr);
 		if (sblen<=0) return LBER_DEFAULT;
 		ber->ber_rwptr += sblen;