Gitweb:
https://git.exim.org/exim.git/commitdiff/936e342d560e218c2aee5cb2295be925c27c2106
Commit: 936e342d560e218c2aee5cb2295be925c27c2106
Parent: f3d71ba5d3dc67ec6f9021e1da0d106ccfef080b
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Thu May 11 19:31:54 2023 +0100
Committer: Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Sat Sep 30 22:49:31 2023 +0200
Auths: fix possible OOB write in SPA authenticator. Bug 3000
(cherry picked from commit e17b8b0f19b25a223b0cc41933b881c3a1073e61)
---
doc/doc-txt/ChangeLog | 3 +++
src/src/auths/auth-spa.c | 4 +++-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 2f7135909..97987f014 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -196,6 +196,9 @@ JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings
JH/40 Bug 2999: Fix a possible OOB write in the external authenticator, which
could be triggered by externally-supplied input. Found by Trend Micro.
+JH/41 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could
+ be triggered by externally-controlled input. Found by Trend Micro.
+
Exim version 4.96
-----------------
diff --git a/src/src/auths/auth-spa.c b/src/src/auths/auth-spa.c
index ec763e5b0..27e95805b 100644
--- a/src/src/auths/auth-spa.c
+++ b/src/src/auths/auth-spa.c
@@ -1214,7 +1214,9 @@ char versionString[] = "libntlm version 0.21";
#define spa_bytes_add(ptr, header, buf, count) \
{ \
-if (buf && (count) != 0) /* we hate -Wint-in-bool-contex */ \
+if ( buf && (count) != 0 /* we hate -Wint-in-bool-contex */ \
+ && ptr->bufIndex + count < sizeof(ptr->buffer) \
+ ) \
{ \
SSVAL(&ptr->header.len,0,count); \
SSVAL(&ptr->header.maxlen,0,count); \
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-cvs.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-cvs-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
