Re: [exim] a question about auth_client_item()

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMzerons at <-
.M 
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] a question about auth_client_item()
On 18/03/2019 14:40, zerons via Exim-users wrote:
> I am reading exim code now. A piece of code in auth_client_item()
> come to my attention.

> I wonder if `ss` could be something like this: '^^^^', or '^^aaaaaaaa^'.
> If so, then `len` could be less than `i`, lead to memory corruption in
> memmove.

You are correct, and it's been like that since at least 2004.
Fortunately it takes a gratuitously malconfigured client_send
string to induce it (at least for PLAIN and LOGIN uses), so
probably nobody was ever bitten.

A simple check on i vs. len avoids the crash; I don't intend to
deal any better with it since the ^-escaping is a kludge here
(I see no way to have a literal ^ at the start or right after
a ^-signalled NUL).

Thanks for the careful code inspection.
--
Jeremy

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] exim rewrite envelope-from for one router only[exim] Log sieve errors->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)