Gitweb:
https://git.exim.org/exim.git/commitdiff/a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0
Commit: a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0
Parent: 43ba45ce62100bc1dbc9b04b5d869f59026783f5
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Wed May 6 22:31:25 2020 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Wed May 6 22:31:25 2020 +0100
Rework SPA fix to avoid overflows. Bug 2571
Amends: 57aa14b216
---
src/src/auths/spa.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c
index f83d114..ff90d33 100644
--- a/src/src/auths/spa.c
+++ b/src/src/auths/spa.c
@@ -141,6 +141,7 @@ SPAAuthResponse response;
SPAAuthResponse *responseptr = &response;
uschar msgbuf[2048];
uschar *clearpass, *s;
+unsigned off;
/* send a 334, MS Exchange style, and grab the client's request,
unless we already have it via an initial response. */
@@ -187,10 +188,13 @@ that causes failure if the size of msgbuf is exceeded. ****/
{
int i;
- char * p = (CS responseptr) + IVAL(&responseptr->uUser.offset,0);
+ char * p;
int len = SVAL(&responseptr->uUser.len,0)/2;
- if (p + len*2 >= CS (responseptr+1))
+ if ( (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse)
+ || len >= sizeof(responseptr->buffer)/2
+ || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1)
+ )
{
DEBUG(D_auth)
debug_printf("auth_spa_server(): bad uUser spec in response\n");
@@ -242,13 +246,14 @@ spa_smb_nt_encrypt(clearpass, challenge.challengeData, ntRespData);
/* compare NT hash (LM may not be available) */
-s = (US responseptr) + IVAL(&responseptr->ntResponse.offset,0);
-if (s + 24 >= US (responseptr+1))
+off = IVAL(&responseptr->ntResponse.offset,0);
+if (off >= sizeof(SPAAuthResponse) - 24)
{
DEBUG(D_auth)
debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
return FAIL;
}
+s = (US responseptr) + off;
if (memcmp(ntRespData, s, 24) == 0)
return auth_check_serv_cond(ablock); /* success. we have a winner. */