1 diff -Naur exim-4.43.orig/src/auths/auth-spa.c exim-4.43/src/auths/auth-spa.c
2 --- exim-4.43.orig/src/auths/auth-spa.c 2004-10-05 10:32:08.000000000 +0200
3 +++ exim-4.43/src/auths/auth-spa.c 2005-01-08 00:33:23.444497800 +0100
8 +/* The outlength parameter was added by PH, December 2004 */
11 -spa_base64_to_bits (char *out, const char *in)
12 +spa_base64_to_bits (char *out, int outlength, const char *in)
13 /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */
20 + if (len >= outlength) /* Added by PH */
21 + return (-1); /* Added by PH */
23 if (DECODE64 (digit1) == BAD)
29 + if (len >= outlength) /* Added by PH */
30 + return (-1); /* Added by PH */
32 ((DECODE64 (digit2) << 4) & 0xf0) | (DECODE64 (digit3) >> 2);
36 - *out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4);
37 + if (len >= outlength) /* Added by PH */
38 + return (-1); /* Added by PH */
39 + *out++ = ((DECODE64 (digit3) << 6) & 0xc0) | DECODE64 (digit4);
43 diff -Naur exim-4.43.orig/src/auths/auth-spa.h exim-4.43/src/auths/auth-spa.h
44 --- exim-4.43.orig/src/auths/auth-spa.h 2004-10-05 10:32:08.000000000 +0200
45 +++ exim-4.43/src/auths/auth-spa.h 2005-01-08 00:33:23.444497800 +0100
47 * Samba project (by Andrew Tridgell, Jeremy Allison, and others).
50 +/* December 2004: The spa_base64_to_bits() function has no length checking in
51 + * it. I have added a check. PH */
53 /* It seems that some systems have existing but different definitions of some
54 of the following types. I received a complaint about "int16" causing
55 compilation problems. So I (PH) have renamed them all, to be on the safe side.
57 #define spa_request_length(ptr) (((ptr)->buffer - (uint8x*)(ptr)) + (ptr)->bufIndex)
59 void spa_bits_to_base64 (unsigned char *, const unsigned char *, int);
60 -int spa_base64_to_bits(char *, const char *);
61 +int spa_base64_to_bits(char *, int, const char *);
62 void spa_build_auth_response (SPAAuthChallenge *challenge,
63 SPAAuthResponse *response, char *user, char *password);
64 void spa_build_auth_request (SPAAuthRequest *request, char *user,
65 diff -Naur exim-4.43.orig/src/auths/spa.c exim-4.43/src/auths/spa.c
66 --- exim-4.43.orig/src/auths/spa.c 2004-10-05 10:32:08.000000000 +0200
67 +++ exim-4.43/src/auths/spa.c 2005-01-08 00:33:42.155653272 +0100
72 -if (spa_base64_to_bits((char *)(&request), (const char *)(data)) < 0)
73 +if (spa_base64_to_bits((char *)(&request), sizeof(request), (const char *)(data)) < 0)
75 DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
76 "request: %s\n", data);
80 /* dump client response */
81 -if (spa_base64_to_bits((char *)(&response), (const char *)(data)) < 0)
82 +if (spa_base64_to_bits((char *)(&response), sizeof(response), (const char *)(data)) < 0)
84 DEBUG(D_auth) debug_printf("auth_spa_server(): bad base64 data in "
85 "response: %s\n", data);
87 /* convert the challenge into the challenge struct */
88 DSPA("\n\n%s authenticator: challenge (%s)\n\n",
89 ablock->name, buffer + 4);
90 - spa_base64_to_bits ((char *)(&challenge), (const char *)(buffer + 4));
91 + spa_base64_to_bits ((char *)(&challenge), sizeof(challenge), (const char *)(buffer + 4));
93 spa_build_auth_response (&challenge, &response,
94 CS username, CS password);
95 diff -Naur exim-4.43.orig/src/host.c exim-4.43/src/host.c
96 --- exim-4.43.orig/src/host.c 2004-10-05 10:32:08.000000000 +0200
97 +++ exim-4.43/src/host.c 2005-01-08 00:33:01.790789664 +0100
102 - /* Split the address into components separated by colons. */
103 + /* Split the address into components separated by colons. The input address
104 + * is supposed to be checked for syntax. There was a case where this was
105 + * overlooked; to guard against that happening again, check here and crash if
106 + * there is a violation. */
110 int len = Ustrcspn(p, ":");
111 if (len == 0) nulloffset = ci;
112 + if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
113 + "Internal error: invalid IPv6 address \"%s\" passed to host_aton()",
118 diff -Naur exim-4.43.orig/src/lookups/dnsdb.c exim-4.43/src/lookups/dnsdb.c
119 --- exim-4.43.orig/src/lookups/dnsdb.c 2004-10-05 10:32:08.000000000 +0200
120 +++ exim-4.43/src/lookups/dnsdb.c 2005-01-08 00:32:31.125451504 +0100
122 /* If the type is PTR, we have to construct the relevant magic lookup
123 key. This code is now in a separate function. */
126 +if (type == T_PTR && string_is_ip_address(keystring, NULL))
128 dns_build_reverse(keystring, buffer);