------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=896
Summary: dovecot AUTH segfaults on long answer
Product: Exim
Version: 4.69
Platform: Other
URL: http://bugs.debian.org/551106
OS/Version: Linux
Status: NEW
Keywords: work:tiny
Severity: bug
Priority: high
Component: SMTP Authentication
AssignedTo: nigel@???
ReportedBy: eximusers@???
CC: exim-dev@???
Created an attachment (id=331)
--> (
http://bugs.exim.org/attachment.cgi?id=331)
suggested patch
There is a bug in the dovecot authenticator which causes a segfault if the
initial response of dovecot on the socket exceeds 256 characters.
dc_gets() reads sizeof(sbuffer) characters from the socket and gives back the
output line by line.
If the end of sbuffer is reached without finding the DONE and ending on \n
another up to sizeof(sbuffer) characters will be read from the socket. However
on the second read the counter p which marks the read position on the input
buffer is not reset. At this point p is greater than sbp, the while clause is
skipped and memmove tries to copy the string to a position *before* the start
of sbuffer.
for (;;)
{
if (sbp == 0)
{
sbp = read(fd, sbuffer, sizeof(sbuffer));
if (sbp == 0) { if (count == 0) return NULL; else break; }
}
while (p < sbp)
{
if (count >= n - 1) break;
s[count++] = sbuffer[p];
if (sbuffer[p++] == '\n') break;
}
memmove(sbuffer, sbuffer + p, sbp - p);
Suggested patch attached.
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email
