diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 09:44:08 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 09:44:08 +0000 |
| commit | 933bbaf3ed7bd659a5c044745aea763815928598 (patch) | |
| tree | 6fe3906ff9f7121999800da3683c206d128b7d39 /debian/patches/75_32-Auths-fix-possible-OOB-read-in-SPA-authenticator.-Bu.patch | |
| parent | Adding upstream version 4.94.2. (diff) | |
| download | exim4-933bbaf3ed7bd659a5c044745aea763815928598.tar.xz exim4-933bbaf3ed7bd659a5c044745aea763815928598.zip | |
Adding debian version 4.94.2-7+deb11u2.debian/4.94.2-7+deb11u2debian
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'debian/patches/75_32-Auths-fix-possible-OOB-read-in-SPA-authenticator.-Bu.patch')
| -rw-r--r-- | debian/patches/75_32-Auths-fix-possible-OOB-read-in-SPA-authenticator.-Bu.patch | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/debian/patches/75_32-Auths-fix-possible-OOB-read-in-SPA-authenticator.-Bu.patch b/debian/patches/75_32-Auths-fix-possible-OOB-read-in-SPA-authenticator.-Bu.patch new file mode 100644 index 0000000..d4e0eb6 --- /dev/null +++ b/debian/patches/75_32-Auths-fix-possible-OOB-read-in-SPA-authenticator.-Bu.patch @@ -0,0 +1,75 @@ +From 04107e98d58efb69f7e2d7b81176e5374c7098a3 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris <jgh146exb@wizmail.org> +Date: Thu, 11 May 2023 21:08:08 +0100 +Subject: [PATCH 4/4] Auths: fix possible OOB read in SPA authenticator. Bug + 3001 + +--- + doc/doc-txt/ChangeLog | 3 +++ + src/src/auths/auth-spa.c | 36 ++++++++++++++++++++++++++++-------- + 2 files changed, 31 insertions(+), 8 deletions(-) + +--- a/src/auths/auth-spa.c ++++ b/src/auths/auth-spa.c +@@ -1254,15 +1254,10 @@ spa_bytes_add(ptr, header, b, len*2); \ + } + + +-#define GetUnicodeString(structPtr, header) \ +-unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) +-#define GetString(structPtr, header) \ +-toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) +- + #ifdef notdef + + #define DumpBuffer(fp, structPtr, header) \ +-dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) ++ dumpRaw(fp,(US structPtr)+IVAL(&structPtr->header.offset,0),SVAL(&structPtr->header.len,0)) + + + static void +@@ -1326,8 +1321,33 @@ buf[len] = 0; + return buf; + } + ++static inline uschar * ++get_challenge_unistr(SPAAuthChallenge * challenge, SPAStrHeader * hdr) ++{ ++int off = IVAL(&hdr->offset, 0); ++int len = SVAL(&hdr->len, 0); ++return off + len < sizeof(SPAAuthChallenge) ++ ? US unicodeToString(CS challenge + off, len/2) : US""; ++} ++ ++static inline uschar * ++get_challenge_str(SPAAuthChallenge * challenge, SPAStrHeader * hdr) ++{ ++int off = IVAL(&hdr->offset, 0); ++int len = SVAL(&hdr->len, 0); ++return off + len < sizeof(SPAAuthChallenge) ++ ? US toString(CS challenge + off, len) : US""; ++} ++ + #ifdef notdef + ++#define GetUnicodeString(structPtr, header) \ ++ unicodeToString(((char*)structPtr) + IVAL(&structPtr->header.offset,0) , SVAL(&structPtr->header.len,0)/2) ++ ++#define GetString(structPtr, header) \ ++ toString(((CS structPtr) + IVAL(&structPtr->header.offset,0)), SVAL(&structPtr->header.len,0)) ++ ++ + void + dumpSmbNtlmAuthRequest (FILE * fp, SPAAuthRequest * request) + { +@@ -1497,8 +1517,8 @@ if (p) + } + + else domain = d = string_copy(cf & 0x1 +- ? CUS GetUnicodeString(challenge, uDomain) +- : CUS GetString(challenge, uDomain)); ++ ? CUS get_challenge_unistr(challenge, &challenge->uDomain) ++ : CUS get_challenge_str(challenge, &challenge->uDomain)); + + spa_smb_encrypt(password, challenge->challengeData, lmRespData); + spa_smb_nt_encrypt(password, challenge->challengeData, ntRespData); |