]>
Commit | Line | Data |
---|---|---|
9648f297 | 1 | diff -Naur exim-4.43.orig/src/auths/auth-spa.c exim-4.43/src/auths/auth-spa.c |
2 | --- exim-4.43.orig/src/auths/auth-spa.c 2004-10-05 10:32:08.000000000 +0200 | |
3 | +++ exim-4.43/src/auths/auth-spa.c 2005-01-08 00:33:23.444497800 +0100 | |
4 | @@ -404,8 +404,10 @@ | |
5 | *out = '\0'; | |
6 | } | |
7 | ||
8 | +/* The outlength parameter was added by PH, December 2004 */ | |
9 | + | |
10 | int | |
11 | -spa_base64_to_bits (char *out, const char *in) | |
12 | +spa_base64_to_bits (char *out, int outlength, const char *in) | |
13 | /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */ | |
14 | { | |
15 | int len = 0; | |
16 | @@ -418,6 +420,8 @@ | |
17 | ||
18 | do | |
19 | { | |
20 | + if (len >= outlength) /* Added by PH */ | |
21 | + return (-1); /* Added by PH */ | |
22 | digit1 = in[0]; | |
23 | if (DECODE64 (digit1) == BAD) | |
24 | return (-1); | |
25 | @@ -435,12 +439,16 @@ | |
26 | ++len; | |
27 | if (digit3 != '=') | |
28 | { | |
29 | + if (len >= outlength) /* Added by PH */ | |
30 | + return (-1); /* Added by PH */ | |
31 | *out++ = | |
32 | ((DECODE64 (digit2) << 4) & 0xf0) | (DECODE64 (digit3) >> 2); | |
33 | ++len; | |
34 | if (digit4 != '=') | |
35 | { | |
36 | - *out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4); | |
37 | + if (len >= outlength) /* Added by PH */ | |
38 | + return (-1); /* Added by PH */ | |
39 | + *out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4); | |
40 | ++len; | |
41 | } | |
42 | } | |
43 | diff -Naur exim-4.43.orig/src/auths/auth-spa.h exim-4.43/src/auths/auth-spa.h | |
44 | --- exim-4.43.orig/src/auths/auth-spa.h 2004-10-05 10:32:08.000000000 +0200 | |
45 | +++ exim-4.43/src/auths/auth-spa.h 2005-01-08 00:33:23.444497800 +0100 | |
46 | @@ -10,6 +10,9 @@ | |
47 | * Samba project (by Andrew Tridgell, Jeremy Allison, and others). | |
48 | */ | |
49 | ||
50 | +/* December 2004: The spa_base64_to_bits() function has no length checking in | |
51 | + * it. I have added a check. PH */ | |
52 | + | |
53 | /* It seems that some systems have existing but different definitions of some | |
54 | of the following types. I received a complaint about "int16" causing | |
55 | compilation problems. So I (PH) have renamed them all, to be on the safe side. | |
56 | @@ -75,7 +78,7 @@ | |
57 | #define spa_request_length(ptr) (((ptr)->buffer - (uint8x*)(ptr)) + (ptr)->bufIndex) | |
58 | ||
59 | void spa_bits_to_base64 (unsigned char *, const unsigned char *, int); | |
60 | -int spa_base64_to_bits(char *, const char *); | |
61 | +int spa_base64_to_bits(char *, int, const char *); | |
62 | void spa_build_auth_response (SPAAuthChallenge *challenge, | |
63 | SPAAuthResponse *response, char *user, char *password); | |
64 | void spa_build_auth_request (SPAAuthRequest *request, char *user, | |
65 | diff -Naur exim-4.43.orig/src/auths/spa.c exim-4.43/src/auths/spa.c | |
66 | --- exim-4.43.orig/src/auths/spa.c 2004-10-05 10:32:08.000000000 +0200 | |
67 | +++ exim-4.43/src/auths/spa.c 2005-01-08 00:33:42.155653272 +0100 | |
68 | @@ -133,7 +133,7 @@ | |
69 | return FAIL; | |
70 | } | |
71 | ||
72 | -if (spa_base64_to_bits((char *)(&request), (const char *)(data)) < 0) | |
73 | +if (spa_base64_to_bits((char *)(&request), sizeof(request), (const char *)(data)) < 0) | |
74 | { | |
75 | DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in " | |
76 | "request: %s\n", data); | |
77 | @@ -153,7 +153,7 @@ | |
78 | } | |
79 | ||
80 | /* dump client response */ | |
81 | -if (spa_base64_to_bits((char *)(&response), (const char *)(data)) < 0) | |
82 | +if (spa_base64_to_bits((char *)(&response), sizeof(response), (const char *)(data)) < 0) | |
83 | { | |
84 | DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in " | |
85 | "response: %s\n", data); | |
86 | @@ -319,7 +319,7 @@ | |
87 | /* convert the challenge into the challenge struct */ | |
88 | DSPA("\n\n%s authenticator: challenge (%s)\n\n", | |
89 | ablock->name, buffer + 4); | |
90 | - spa_base64_to_bits ((char *)(&challenge), (const char *)(buffer + 4)); | |
91 | + spa_base64_to_bits ((char *)(&challenge), sizeof(challenge), (const char *)(buffer + 4)); | |
92 | ||
93 | spa_build_auth_response (&challenge, &response, | |
94 | CS username, CS password); | |
95 | diff -Naur exim-4.43.orig/src/host.c exim-4.43/src/host.c | |
96 | --- exim-4.43.orig/src/host.c 2004-10-05 10:32:08.000000000 +0200 | |
97 | +++ exim-4.43/src/host.c 2005-01-08 00:33:01.790789664 +0100 | |
98 | @@ -710,12 +710,18 @@ | |
99 | ||
100 | if (*p == ':') p++; | |
101 | ||
102 | - /* Split the address into components separated by colons. */ | |
103 | + /* Split the address into components separated by colons. The input address | |
104 | + * is supposed to be checked for syntax. There was a case where this was | |
105 | + * overlooked; to guard against that happening again, check here and crash if | |
106 | + * there is a violation. */ | |
107 | ||
108 | while (*p != 0) | |
109 | { | |
110 | int len = Ustrcspn(p, ":"); | |
111 | if (len == 0) nulloffset = ci; | |
112 | + if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE, | |
113 | + "Internal error: invalid IPv6 address \"%s\" passed to host_aton()", | |
114 | + address); | |
115 | component[ci++] = p; | |
116 | p += len; | |
117 | if (*p == ':') p++; | |
118 | diff -Naur exim-4.43.orig/src/lookups/dnsdb.c exim-4.43/src/lookups/dnsdb.c | |
119 | --- exim-4.43.orig/src/lookups/dnsdb.c 2004-10-05 10:32:08.000000000 +0200 | |
120 | +++ exim-4.43/src/lookups/dnsdb.c 2005-01-08 00:32:31.125451504 +0100 | |
121 | @@ -125,7 +125,7 @@ | |
122 | /* If the type is PTR, we have to construct the relevant magic lookup | |
123 | key. This code is now in a separate function. */ | |
124 | ||
125 | -if (type == T_PTR) | |
126 | +if (type == T_PTR && string_is_ip_address(keystring, NULL)) | |
127 | { | |
128 | dns_build_reverse(keystring, buffer); | |
129 | keystring = buffer; |