Szerző: Jeremy Harris Dátum: Címzett: exim-users Tárgy: Re: [exim] a question about auth_client_item()
On 18/03/2019 14:40, zerons via Exim-users wrote: > I am reading exim code now. A piece of code in auth_client_item()
> come to my attention. > I wonder if `ss` could be something like this: '^^^^', or '^^aaaaaaaa^'.
> If so, then `len` could be less than `i`, lead to memory corruption in
> memmove.
You are correct, and it's been like that since at least 2004.
Fortunately it takes a gratuitously malconfigured client_send
string to induce it (at least for PLAIN and LOGIN uses), so
probably nobody was ever bitten.
A simple check on i vs. len avoids the crash; I don't intend to
deal any better with it since the ^-escaping is a kludge here
(I see no way to have a literal ^ at the start or right after
a ^-signalled NUL).