diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2019-03-21 20:01:03 +0000 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2019-03-21 20:01:03 +0000 |
commit | e5b942ae007d0533fbd599c64d550f3a8355b940 (patch) | |
tree | cbd120f7603b74619cd61ac8d108e7618fb1c675 | |
parent | 332ebeaf8139b2b75f475880fc14b63c7c45c706 (diff) | |
download | exim4-e5b942ae007d0533fbd599c64d550f3a8355b940.tar.gz |
Harden plaintext authenticator
Cherry-picked from: f9fc942757
-rw-r--r-- | doc/doc-txt/ChangeLog | 5 | ||||
-rw-r--r-- | src/src/auths/plaintext.c | 6 |
2 files changed, 6 insertions, 5 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 3d63725f2..c34e60d1c 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -34,6 +34,11 @@ JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was dropped connections and sometimes bounces generated by a peer sending to this system. +JH/11 Harden plaintext authenticator against a badly misconfigured client-send + string. Previously it was possible to cause undefined behaviour in a + library routine (usually a crash). Found by "zerons". + + Exim version 4.92 ----------------- diff --git a/src/src/auths/plaintext.c b/src/src/auths/plaintext.c index 7a0f78852..fa05b0ad5 100644 --- a/src/src/auths/plaintext.c +++ b/src/src/auths/plaintext.c @@ -223,11 +223,7 @@ while ((s = string_nextinlist(&text, &sep, big_buffer, big_buffer_size))) if (ss[i+1] != '^') ss[i] = 0; else - { - i++; - len--; - memmove(ss + i, ss + i + 1, len - i); - } + if (--len > ++i) memmove(ss + i, ss + i + 1, len - i); /* The first string is attached to the AUTH command; others are sent unembellished. */ |