[exim-dev] [Bug 896] New: dovecot AUTH segfaults on long ans…

Top Page
Delete this message
Reply to this message
Author: Andreas Metzler
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 896] dovecot AUTH segfaults on long answer
Subject: [exim-dev] [Bug 896] New: dovecot AUTH segfaults on long answer
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=896
           Summary: dovecot AUTH segfaults on long answer
           Product: Exim
           Version: 4.69
          Platform: Other
               URL: http://bugs.debian.org/551106
        OS/Version: Linux
            Status: NEW
          Keywords: work:tiny
          Severity: bug
          Priority: high
         Component: SMTP Authentication
        AssignedTo: nigel@???
        ReportedBy: eximusers@???
                CC: exim-dev@???



Created an attachment (id=331)
--> (http://bugs.exim.org/attachment.cgi?id=331)
suggested patch

There is a bug in the dovecot authenticator which causes a segfault if the
initial response of dovecot on the socket exceeds 256 characters.

dc_gets() reads sizeof(sbuffer) characters from the socket and gives back the
output line by line.

If the end of sbuffer is reached without finding the DONE and ending on \n
another up to sizeof(sbuffer) characters will be read from the socket. However
on the second read the counter p which marks the read position on the input
buffer is not reset. At this point p is greater than sbp, the while clause is
skipped and memmove tries to copy the string to a position *before* the start
of sbuffer.

for (;;)
  {
  if (sbp == 0)
    {
    sbp = read(fd, sbuffer, sizeof(sbuffer));
    if (sbp == 0) { if (count == 0) return NULL; else break; }
    }


  while (p < sbp)
    {
    if (count >= n - 1) break;
    s[count++] = sbuffer[p];
    if (sbuffer[p++] == '\n') break;
    }


memmove(sbuffer, sbuffer + p, sbp - p);


Suggested patch attached.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email