summaryrefslogtreecommitdiff
path: root/imap/src
diff options
context:
space:
mode:
authorEduardo Chappa <chappa@washington.edu>2019-05-08 16:05:08 -0600
committerEduardo Chappa <chappa@washington.edu>2019-05-08 16:05:08 -0600
commit74c603fbc6397e08b4914f535fcbc2361096bcf5 (patch)
treefea5c5998e07238d8addd1f4499406379a07ef95 /imap/src
parentfd6775283db831681f9a04b23bdb29d1e4f5f11e (diff)
downloadalpine-74c603fbc6397e08b4914f535fcbc2361096bcf5.tar.xz
* Buffer overflow bug on auth_md5.c, where not enough dynamic memory
was being allocated. Based on a report by Erich Eckner.
Diffstat (limited to 'imap/src')
-rw-r--r--imap/src/c-client/auth_md5.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/imap/src/c-client/auth_md5.c b/imap/src/c-client/auth_md5.c
index d4e7024b..d12fd299 100644
--- a/imap/src/c-client/auth_md5.c
+++ b/imap/src/c-client/auth_md5.c
@@ -113,11 +113,12 @@ long auth_md5_client (authchallenge_t challenger,authrespond_t responder,
ret = LONGT; /* will get a BAD response back */
}
else { /* got password, build response */
- sprintf (pwd,"%.65s %.33s",user,hmac_md5 (hshbuf,challenge,clen,
+ char tmp[128];
+ sprintf (tmp,"%.65s %.33s",user,hmac_md5 (hshbuf,challenge,clen,
pwd,strlen (pwd)));
fs_give ((void **) &challenge);
/* send credentials, allow retry if OK */
- if ((*responder) (stream,pwd,strlen (pwd))) {
+ if ((*responder) (stream,tmp,strlen (tmp))) {
if ((challenge = (*challenger) (stream,&clen)) != NULL)
fs_give ((void **) &challenge);
else {
@@ -125,10 +126,13 @@ long auth_md5_client (authchallenge_t challenger,authrespond_t responder,
ret = LONGT; /* check the authentication */
}
}
- fs_give((void **) &pwd);
+ memset((void *) tmp, 0, sizeof(tmp));
}
}
- if(pwd) fs_give((void **) &pwd);
+ if(pwd){
+ memset((void *) pwd, 0, strlen(pwd));
+ fs_give((void **) &pwd);
+ }
if (!ret) *trial = 65535; /* don't retry if bad protocol */
return ret;
}