* Buffer overflow bug on auth_md5.c, where not enough dynamic memory

     was being allocated. Based on a report by Erich Eckner.

1 files changed, 8 insertions, 4 deletions

diff --git a/imap/src/c-client/auth_md5.c b/imap/src/c-client/auth_md5.c
index d4e7024b..d12fd299 100644
--- a/imap/src/c-client/auth_md5.c
+++ b/imap/src/c-client/auth_md5.c
@@ -113,11 +113,12 @@ long auth_md5_client (authchallenge_t challenger,authrespond_t responder,
       ret = LONGT;		/* will get a BAD response back */
     }
     else {			/* got password, build response */
-      sprintf (pwd,"%.65s %.33s",user,hmac_md5 (hshbuf,challenge,clen,
+      char tmp[128];
+      sprintf (tmp,"%.65s %.33s",user,hmac_md5 (hshbuf,challenge,clen,
 						pwd,strlen (pwd)));
       fs_give ((void **) &challenge);
 				/* send credentials, allow retry if OK */
-      if ((*responder) (stream,pwd,strlen (pwd))) {
+      if ((*responder) (stream,tmp,strlen (tmp))) {
 	if ((challenge = (*challenger) (stream,&clen)) != NULL)
 	  fs_give ((void **) &challenge);
 	else {
@@ -125,10 +126,13 @@ long auth_md5_client (authchallenge_t challenger,authrespond_t responder,
 	  ret = LONGT;		/* check the authentication */
 	}
       }
-      fs_give((void **) &pwd);
+      memset((void *) tmp, 0, sizeof(tmp));
     }
   }
-  if(pwd) fs_give((void **) &pwd);
+  if(pwd){
+    memset((void *) pwd, 0, strlen(pwd));
+    fs_give((void **) &pwd);
+  }
   if (!ret) *trial = 65535;	/* don't retry if bad protocol */
   return ret;
 }