1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
|
From e5b942ae007d0533fbd599c64d550f3a8355b940 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 21 Mar 2019 20:01:03 +0000
Subject: [PATCH] Harden plaintext authenticator
Cherry-picked from: f9fc942757
---
doc/ChangeLog | 5 +++++
src/auths/plaintext.c | 6 +-----
2 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/doc/ChangeLog b/doc/ChangeLog
index 3d63725f..c34e60d1 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -32,10 +32,15 @@ JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was
used both for input and for a verify callout, both encrypted, SMTP
responses being sent by the server could be lost. This resulted in
dropped connections and sometimes bounces generated by a peer sending
to this system.
+JH/11 Harden plaintext authenticator against a badly misconfigured client-send
+ string. Previously it was possible to cause undefined behaviour in a
+ library routine (usually a crash). Found by "zerons".
+
+
Exim version 4.92
-----------------
JH/01 Remove code calling the customisable local_scan function, unless a new
diff --git a/src/auths/plaintext.c b/src/auths/plaintext.c
index 7a0f7885..fa05b0ad 100644
--- a/src/auths/plaintext.c
+++ b/src/auths/plaintext.c
@@ -221,15 +221,11 @@ while ((s = string_nextinlist(&text, &sep, big_buffer, big_buffer_size)))
for (i = 0; i < len; i++)
if (ss[i] == '^')
if (ss[i+1] != '^')
ss[i] = 0;
else
- {
- i++;
- len--;
- memmove(ss + i, ss + i + 1, len - i);
- }
+ if (--len > ++i) memmove(ss + i, ss + i + 1, len - i);
/* The first string is attached to the AUTH command; others are sent
unembellished. */
if (first)
--
2.20.1
|
