| 1 | From e5b942ae007d0533fbd599c64d550f3a8355b940 Mon Sep 17 00:00:00 2001 |
| 2 | From: Jeremy Harris <jgh146exb@wizmail.org> |
| 3 | Date: Thu, 21 Mar 2019 20:01:03 +0000 |
| 4 | Subject: [PATCH] Harden plaintext authenticator |
| 5 | |
| 6 | Cherry-picked from: f9fc942757 |
| 7 | --- |
| 8 | doc/ChangeLog | 5 +++++ |
| 9 | src/auths/plaintext.c | 6 +----- |
| 10 | 2 files changed, 6 insertions(+), 5 deletions(-) |
| 11 | |
| 12 | diff --git a/doc/ChangeLog b/doc/ChangeLog |
| 13 | index 3d63725f..c34e60d1 100644 |
| 14 | --- a/doc/ChangeLog |
| 15 | +++ b/doc/ChangeLog |
| 16 | @@ -32,10 +32,15 @@ JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was |
| 17 | used both for input and for a verify callout, both encrypted, SMTP |
| 18 | responses being sent by the server could be lost. This resulted in |
| 19 | dropped connections and sometimes bounces generated by a peer sending |
| 20 | to this system. |
| 21 | |
| 22 | +JH/11 Harden plaintext authenticator against a badly misconfigured client-send |
| 23 | + string. Previously it was possible to cause undefined behaviour in a |
| 24 | + library routine (usually a crash). Found by "zerons". |
| 25 | + |
| 26 | + |
| 27 | |
| 28 | Exim version 4.92 |
| 29 | ----------------- |
| 30 | |
| 31 | JH/01 Remove code calling the customisable local_scan function, unless a new |
| 32 | diff --git a/src/auths/plaintext.c b/src/auths/plaintext.c |
| 33 | index 7a0f7885..fa05b0ad 100644 |
| 34 | --- a/src/auths/plaintext.c |
| 35 | +++ b/src/auths/plaintext.c |
| 36 | @@ -221,15 +221,11 @@ while ((s = string_nextinlist(&text, &sep, big_buffer, big_buffer_size))) |
| 37 | for (i = 0; i < len; i++) |
| 38 | if (ss[i] == '^') |
| 39 | if (ss[i+1] != '^') |
| 40 | ss[i] = 0; |
| 41 | else |
| 42 | - { |
| 43 | - i++; |
| 44 | - len--; |
| 45 | - memmove(ss + i, ss + i + 1, len - i); |
| 46 | - } |
| 47 | + if (--len > ++i) memmove(ss + i, ss + i + 1, len - i); |
| 48 | |
| 49 | /* The first string is attached to the AUTH command; others are sent |
| 50 | unembellished. */ |
| 51 | |
| 52 | if (first) |
| 53 | -- |
| 54 | 2.20.1 |
| 55 | |