BUG/MEDIUM: checks: Fix off-by-one in allocation of SMTP greeting cmd

The allocation did not account for either the trailing null byte or the
space, leading to a buffer overwrite.

This bug was detected by an assertion failure in the allocator. But can
also be easily detected using valgrind:

    ==25827== Invalid write of size 1
    ==25827==    at 0x6529759: __vsprintf_chk (vsprintf_chk.c:84)
    ==25827==    by 0x65296AC: __sprintf_chk (sprintf_chk.c:31)
    ==25827==    by 0x4D6AB7: sprintf (stdio2.h:33)
    ==25827==    by 0x4D6AB7: proxy_parse_smtpchk_opt (check.c:1799)
    ==25827==    by 0x4A7DDD: cfg_parse_listen (cfgparse-listen.c:2269)
    ==25827==    by 0x494AD3: readcfgfile (cfgparse.c:2167)
    ==25827==    by 0x542995: init (haproxy.c:2021)
    ==25827==    by 0x421DD2: main (haproxy.c:3121)
    ==25827==  Address 0x78712a8 is 0 bytes after a block of size 24 alloc'd
    ==25827==    at 0x4C2FB55: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==25827==    by 0x4D6A8C: proxy_parse_smtpchk_opt (check.c:1797)
    ==25827==    by 0x4A7DDD: cfg_parse_listen (cfgparse-listen.c:2269)
    ==25827==    by 0x494AD3: readcfgfile (cfgparse.c:2167)
    ==25827==    by 0x542995: init (haproxy.c:2021)
    ==25827==    by 0x421DD2: main (haproxy.c:3121)

This patch fixes issue #681.

This bug was introduced in commit fbcc77c6baa7edee85be9c2384d12c55ef651a5a,
which first appeared in 2.2-dev7. No backport needed.
diff --git a/src/check.c b/src/check.c
index 82f18e3..c9802a6 100644
--- a/src/check.c
+++ b/src/check.c
@@ -1794,7 +1794,8 @@
 	cur_arg += 2;
 	if (*args[cur_arg] && *args[cur_arg+1] &&
 	    (strcmp(args[cur_arg], "EHLO") == 0 || strcmp(args[cur_arg], "HELO") == 0)) {
-		cmd = calloc(strlen(args[cur_arg]) + strlen(args[cur_arg+1]) + 1, sizeof(*cmd));
+		/* <EHLO|HELO> + space (1) + <host> + null byte (1) */
+		cmd = calloc(strlen(args[cur_arg]) + 1 + strlen(args[cur_arg+1]) + 1, sizeof(*cmd));
 		if (cmd)
 			sprintf(cmd, "%s %s", args[cur_arg], args[cur_arg+1]);
 	}