[exim-dev] [Bug 896] New: dovecot AUTH segfaults on long ans…

Kezdőlap
Üzenet törlése
Válasz az üzenetre
Szerző: Andreas Metzler
Dátum:  
Címzett: exim-dev
Új témák: [exim-dev] [Bug 896] dovecot AUTH segfaults on long answer
Tárgy: [exim-dev] [Bug 896] New: dovecot AUTH segfaults on long answer
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=896
           Summary: dovecot AUTH segfaults on long answer
           Product: Exim
           Version: 4.69
          Platform: Other
               URL: http://bugs.debian.org/551106
        OS/Version: Linux
            Status: NEW
          Keywords: work:tiny
          Severity: bug
          Priority: high
         Component: SMTP Authentication
        AssignedTo: nigel@???
        ReportedBy: eximusers@???
                CC: exim-dev@???



Created an attachment (id=331)
--> (http://bugs.exim.org/attachment.cgi?id=331)
suggested patch

There is a bug in the dovecot authenticator which causes a segfault if the
initial response of dovecot on the socket exceeds 256 characters.

dc_gets() reads sizeof(sbuffer) characters from the socket and gives back the
output line by line.

If the end of sbuffer is reached without finding the DONE and ending on \n
another up to sizeof(sbuffer) characters will be read from the socket. However
on the second read the counter p which marks the read position on the input
buffer is not reset. At this point p is greater than sbp, the while clause is
skipped and memmove tries to copy the string to a position *before* the start
of sbuffer.

for (;;)
  {
  if (sbp == 0)
    {
    sbp = read(fd, sbuffer, sizeof(sbuffer));
    if (sbp == 0) { if (count == 0) return NULL; else break; }
    }


  while (p < sbp)
    {
    if (count >= n - 1) break;
    s[count++] = sbuffer[p];
    if (sbuffer[p++] == '\n') break;
    }


memmove(sbuffer, sbuffer + p, sbp - p);


Suggested patch attached.


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email