[exim-cvs] Auths: fix possible OOB write in SPA authenticato…

Página Inicial
Delete this message
Reply to this message
Autor: Exim Git Commits Mailing List
Data:  
Para: exim-cvs
Assunto: [exim-cvs] Auths: fix possible OOB write in SPA authenticator. Bug 3000
Gitweb: https://git.exim.org/exim.git/commitdiff/936e342d560e218c2aee5cb2295be925c27c2106
Commit:     936e342d560e218c2aee5cb2295be925c27c2106
Parent:     f3d71ba5d3dc67ec6f9021e1da0d106ccfef080b
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Thu May 11 19:31:54 2023 +0100
Committer:  Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Sat Sep 30 22:49:31 2023 +0200


    Auths: fix possible OOB write in SPA authenticator.  Bug 3000


    (cherry picked from commit e17b8b0f19b25a223b0cc41933b881c3a1073e61)
---
 doc/doc-txt/ChangeLog    | 3 +++
 src/src/auths/auth-spa.c | 4 +++-
 2 files changed, 6 insertions(+), 1 deletion(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 2f7135909..97987f014 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -196,6 +196,9 @@ JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings
 JH/40 Bug 2999: Fix a possible OOB write in the external authenticator, which
       could be triggered by externally-supplied input.  Found by Trend Micro.


+JH/41 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could
+      be triggered by externally-controlled input.  Found by Trend Micro.
+


Exim version 4.96
-----------------
diff --git a/src/src/auths/auth-spa.c b/src/src/auths/auth-spa.c
index ec763e5b0..27e95805b 100644
--- a/src/src/auths/auth-spa.c
+++ b/src/src/auths/auth-spa.c
@@ -1214,7 +1214,9 @@ char versionString[] = "libntlm version 0.21";

 #define spa_bytes_add(ptr, header, buf, count) \
 { \
-if (buf && (count) != 0) /* we hate -Wint-in-bool-contex */ \
+if (  buf && (count) != 0    /* we hate -Wint-in-bool-contex */ \
+   && ptr->bufIndex + count < sizeof(ptr->buffer)        \
+   ) \
   { \
   SSVAL(&ptr->header.len,0,count); \
   SSVAL(&ptr->header.maxlen,0,count); \


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-cvs.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-cvs-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/