diff options
author | Eduardo Chappa <chappa@washington.edu> | 2019-05-08 16:05:08 -0600 |
---|---|---|
committer | Eduardo Chappa <chappa@washington.edu> | 2019-05-08 16:05:08 -0600 |
commit | 74c603fbc6397e08b4914f535fcbc2361096bcf5 (patch) | |
tree | fea5c5998e07238d8addd1f4499406379a07ef95 /imap/src | |
parent | fd6775283db831681f9a04b23bdb29d1e4f5f11e (diff) | |
download | alpine-74c603fbc6397e08b4914f535fcbc2361096bcf5.tar.xz |
* Buffer overflow bug on auth_md5.c, where not enough dynamic memory
was being allocated. Based on a report by Erich Eckner.
Diffstat (limited to 'imap/src')
-rw-r--r-- | imap/src/c-client/auth_md5.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/imap/src/c-client/auth_md5.c b/imap/src/c-client/auth_md5.c index d4e7024b..d12fd299 100644 --- a/imap/src/c-client/auth_md5.c +++ b/imap/src/c-client/auth_md5.c @@ -113,11 +113,12 @@ long auth_md5_client (authchallenge_t challenger,authrespond_t responder, ret = LONGT; /* will get a BAD response back */ } else { /* got password, build response */ - sprintf (pwd,"%.65s %.33s",user,hmac_md5 (hshbuf,challenge,clen, + char tmp[128]; + sprintf (tmp,"%.65s %.33s",user,hmac_md5 (hshbuf,challenge,clen, pwd,strlen (pwd))); fs_give ((void **) &challenge); /* send credentials, allow retry if OK */ - if ((*responder) (stream,pwd,strlen (pwd))) { + if ((*responder) (stream,tmp,strlen (tmp))) { if ((challenge = (*challenger) (stream,&clen)) != NULL) fs_give ((void **) &challenge); else { @@ -125,10 +126,13 @@ long auth_md5_client (authchallenge_t challenger,authrespond_t responder, ret = LONGT; /* check the authentication */ } } - fs_give((void **) &pwd); + memset((void *) tmp, 0, sizeof(tmp)); } } - if(pwd) fs_give((void **) &pwd); + if(pwd){ + memset((void *) pwd, 0, strlen(pwd)); + fs_give((void **) &pwd); + } if (!ret) *trial = 65535; /* don't retry if bad protocol */ return ret; } |