| 9648f297 |
1 | diff -Naur exim-4.43.orig/src/auths/auth-spa.c exim-4.43/src/auths/auth-spa.c |
| 2 | --- exim-4.43.orig/src/auths/auth-spa.c 2004-10-05 10:32:08.000000000 +0200 |
| 3 | +++ exim-4.43/src/auths/auth-spa.c 2005-01-08 00:33:23.444497800 +0100 |
| 4 | @@ -404,8 +404,10 @@ |
| 5 | *out = '\0'; |
| 6 | } |
| 7 | |
| 8 | +/* The outlength parameter was added by PH, December 2004 */ |
| 9 | + |
| 10 | int |
| 11 | -spa_base64_to_bits (char *out, const char *in) |
| 12 | +spa_base64_to_bits (char *out, int outlength, const char *in) |
| 13 | /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */ |
| 14 | { |
| 15 | int len = 0; |
| 16 | @@ -418,6 +420,8 @@ |
| 17 | |
| 18 | do |
| 19 | { |
| 20 | + if (len >= outlength) /* Added by PH */ |
| 21 | + return (-1); /* Added by PH */ |
| 22 | digit1 = in[0]; |
| 23 | if (DECODE64 (digit1) == BAD) |
| 24 | return (-1); |
| 25 | @@ -435,12 +439,16 @@ |
| 26 | ++len; |
| 27 | if (digit3 != '=') |
| 28 | { |
| 29 | + if (len >= outlength) /* Added by PH */ |
| 30 | + return (-1); /* Added by PH */ |
| 31 | *out++ = |
| 32 | ((DECODE64 (digit2) << 4) & 0xf0) | (DECODE64 (digit3) >> 2); |
| 33 | ++len; |
| 34 | if (digit4 != '=') |
| 35 | { |
| 36 | - *out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4); |
| 37 | + if (len >= outlength) /* Added by PH */ |
| 38 | + return (-1); /* Added by PH */ |
| 39 | + *out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4); |
| 40 | ++len; |
| 41 | } |
| 42 | } |
| 43 | diff -Naur exim-4.43.orig/src/auths/auth-spa.h exim-4.43/src/auths/auth-spa.h |
| 44 | --- exim-4.43.orig/src/auths/auth-spa.h 2004-10-05 10:32:08.000000000 +0200 |
| 45 | +++ exim-4.43/src/auths/auth-spa.h 2005-01-08 00:33:23.444497800 +0100 |
| 46 | @@ -10,6 +10,9 @@ |
| 47 | * Samba project (by Andrew Tridgell, Jeremy Allison, and others). |
| 48 | */ |
| 49 | |
| 50 | +/* December 2004: The spa_base64_to_bits() function has no length checking in |
| 51 | + * it. I have added a check. PH */ |
| 52 | + |
| 53 | /* It seems that some systems have existing but different definitions of some |
| 54 | of the following types. I received a complaint about "int16" causing |
| 55 | compilation problems. So I (PH) have renamed them all, to be on the safe side. |
| 56 | @@ -75,7 +78,7 @@ |
| 57 | #define spa_request_length(ptr) (((ptr)->buffer - (uint8x*)(ptr)) + (ptr)->bufIndex) |
| 58 | |
| 59 | void spa_bits_to_base64 (unsigned char *, const unsigned char *, int); |
| 60 | -int spa_base64_to_bits(char *, const char *); |
| 61 | +int spa_base64_to_bits(char *, int, const char *); |
| 62 | void spa_build_auth_response (SPAAuthChallenge *challenge, |
| 63 | SPAAuthResponse *response, char *user, char *password); |
| 64 | void spa_build_auth_request (SPAAuthRequest *request, char *user, |
| 65 | diff -Naur exim-4.43.orig/src/auths/spa.c exim-4.43/src/auths/spa.c |
| 66 | --- exim-4.43.orig/src/auths/spa.c 2004-10-05 10:32:08.000000000 +0200 |
| 67 | +++ exim-4.43/src/auths/spa.c 2005-01-08 00:33:42.155653272 +0100 |
| 68 | @@ -133,7 +133,7 @@ |
| 69 | return FAIL; |
| 70 | } |
| 71 | |
| 72 | -if (spa_base64_to_bits((char *)(&request), (const char *)(data)) < 0) |
| 73 | +if (spa_base64_to_bits((char *)(&request), sizeof(request), (const char *)(data)) < 0) |
| 74 | { |
| 75 | DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in " |
| 76 | "request: %s\n", data); |
| 77 | @@ -153,7 +153,7 @@ |
| 78 | } |
| 79 | |
| 80 | /* dump client response */ |
| 81 | -if (spa_base64_to_bits((char *)(&response), (const char *)(data)) < 0) |
| 82 | +if (spa_base64_to_bits((char *)(&response), sizeof(response), (const char *)(data)) < 0) |
| 83 | { |
| 84 | DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in " |
| 85 | "response: %s\n", data); |
| 86 | @@ -319,7 +319,7 @@ |
| 87 | /* convert the challenge into the challenge struct */ |
| 88 | DSPA("\n\n%s authenticator: challenge (%s)\n\n", |
| 89 | ablock->name, buffer + 4); |
| 90 | - spa_base64_to_bits ((char *)(&challenge), (const char *)(buffer + 4)); |
| 91 | + spa_base64_to_bits ((char *)(&challenge), sizeof(challenge), (const char *)(buffer + 4)); |
| 92 | |
| 93 | spa_build_auth_response (&challenge, &response, |
| 94 | CS username, CS password); |
| 95 | diff -Naur exim-4.43.orig/src/host.c exim-4.43/src/host.c |
| 96 | --- exim-4.43.orig/src/host.c 2004-10-05 10:32:08.000000000 +0200 |
| 97 | +++ exim-4.43/src/host.c 2005-01-08 00:33:01.790789664 +0100 |
| 98 | @@ -710,12 +710,18 @@ |
| 99 | |
| 100 | if (*p == ':') p++; |
| 101 | |
| 102 | - /* Split the address into components separated by colons. */ |
| 103 | + /* Split the address into components separated by colons. The input address |
| 104 | + * is supposed to be checked for syntax. There was a case where this was |
| 105 | + * overlooked; to guard against that happening again, check here and crash if |
| 106 | + * there is a violation. */ |
| 107 | |
| 108 | while (*p != 0) |
| 109 | { |
| 110 | int len = Ustrcspn(p, ":"); |
| 111 | if (len == 0) nulloffset = ci; |
| 112 | + if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE, |
| 113 | + "Internal error: invalid IPv6 address \"%s\" passed to host_aton()", |
| 114 | + address); |
| 115 | component[ci++] = p; |
| 116 | p += len; |
| 117 | if (*p == ':') p++; |
| 118 | diff -Naur exim-4.43.orig/src/lookups/dnsdb.c exim-4.43/src/lookups/dnsdb.c |
| 119 | --- exim-4.43.orig/src/lookups/dnsdb.c 2004-10-05 10:32:08.000000000 +0200 |
| 120 | +++ exim-4.43/src/lookups/dnsdb.c 2005-01-08 00:32:31.125451504 +0100 |
| 121 | @@ -125,7 +125,7 @@ |
| 122 | /* If the type is PTR, we have to construct the relevant magic lookup |
| 123 | key. This code is now in a separate function. */ |
| 124 | |
| 125 | -if (type == T_PTR) |
| 126 | +if (type == T_PTR && string_is_ip_address(keystring, NULL)) |
| 127 | { |
| 128 | dns_build_reverse(keystring, buffer); |
| 129 | keystring = buffer; |
projects / packages / exim.git / blame