--- /dev/null
+From e5b942ae007d0533fbd599c64d550f3a8355b940 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Thu, 21 Mar 2019 20:01:03 +0000
+Subject: [PATCH] Harden plaintext authenticator
+
+Cherry-picked from: f9fc942757
+---
+ doc/ChangeLog | 5 +++++
+ src/auths/plaintext.c | 6 +-----
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/doc/ChangeLog b/doc/ChangeLog
+index 3d63725f..c34e60d1 100644
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -32,10 +32,15 @@ JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was
+ used both for input and for a verify callout, both encrypted, SMTP
+ responses being sent by the server could be lost. This resulted in
+ dropped connections and sometimes bounces generated by a peer sending
+ to this system.
+
++JH/11 Harden plaintext authenticator against a badly misconfigured client-send
++ string. Previously it was possible to cause undefined behaviour in a
++ library routine (usually a crash). Found by "zerons".
++
++
+
+ Exim version 4.92
+ -----------------
+
+ JH/01 Remove code calling the customisable local_scan function, unless a new
+diff --git a/src/auths/plaintext.c b/src/auths/plaintext.c
+index 7a0f7885..fa05b0ad 100644
+--- a/src/auths/plaintext.c
++++ b/src/auths/plaintext.c
+@@ -221,15 +221,11 @@ while ((s = string_nextinlist(&text, &sep, big_buffer, big_buffer_size)))
+ for (i = 0; i < len; i++)
+ if (ss[i] == '^')
+ if (ss[i+1] != '^')
+ ss[i] = 0;
+ else
+- {
+- i++;
+- len--;
+- memmove(ss + i, ss + i + 1, len - i);
+- }
++ if (--len > ++i) memmove(ss + i, ss + i + 1, len - i);
+
+ /* The first string is attached to the AUTH command; others are sent
+ unembellished. */
+
+ if (first)
+--
+2.20.1
+
HCoop / hcoop / debian / exim4.git / blobdiff