From f9fc9427579982838daf3e50c1d14b69bf59a43e Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 21 Mar 2019 19:54:31 +0000 Subject: [PATCH] Harden plaintext authenticator --- doc/doc-txt/ChangeLog | 4 ++++ src/src/auths/get_data.c | 6 +----- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 2085a3b7b..fa8f467e6 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -48,6 +48,10 @@ JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was dropped connections and sometimes bounces generated by a peer sending to this system. +JH/11 Harden plaintext authenticator against a badly misconfigured client-send + string. Previously it was possible to cause undefined behaviour in a + library routine (usually a crash). Found by "zerons". + Exim version 4.92 ----------------- diff --git a/src/src/auths/get_data.c b/src/src/auths/get_data.c index 37dcd37cc..efb4d6d8b 100644 --- a/src/src/auths/get_data.c +++ b/src/src/auths/get_data.c @@ -174,11 +174,7 @@ for (int i = 0; i < len; i++) if (ss[i+1] != '^') ss[i] = 0; else - { - i++; - len--; - memmove(ss + i, ss + i + 1, len - i); - } + if (--len > ++i) memmove(ss + i, ss + i + 1, len - i); /* The first string is attached to the AUTH command; others are sent unembellished. */ -- 2.25.1