Gitweb:
https://git.exim.org/exim.git/commitdiff/f9fc9427579982838daf3e50c1d14b69bf59a43e
Commit: f9fc9427579982838daf3e50c1d14b69bf59a43e
Parent: a9f6ab7d420d1ff1389058eb9e7ba3ec5c2ea011
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Mar 21 19:54:31 2019 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Thu Mar 21 19:54:31 2019 +0000
Harden plaintext authenticator
---
doc/doc-txt/ChangeLog | 4 ++++
src/src/auths/get_data.c | 6 +-----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 2085a3b..fa8f467 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -48,6 +48,10 @@ JH/10 OpenSSL: Fix aggregation of messages. Previously, when PIPELINING was
dropped connections and sometimes bounces generated by a peer sending
to this system.
+JH/11 Harden plaintext authenticator against a badly misconfigured client-send
+ string. Previously it was possible to cause undefined behaviour in a
+ library routine (usually a crash). Found by "zerons".
+
Exim version 4.92
-----------------
diff --git a/src/src/auths/get_data.c b/src/src/auths/get_data.c
index 37dcd37..efb4d6d 100644
--- a/src/src/auths/get_data.c
+++ b/src/src/auths/get_data.c
@@ -174,11 +174,7 @@ for (int i = 0; i < len; i++)
if (ss[i+1] != '^')
ss[i] = 0;
else
- {
- i++;
- len--;
- memmove(ss + i, ss + i + 1, len - i);
- }
+ if (--len > ++i) memmove(ss + i, ss + i + 1, len - i);
/* The first string is attached to the AUTH command; others are sent
unembellished. */