From 74c603fbc6397e08b4914f535fcbc2361096bcf5 Mon Sep 17 00:00:00 2001 From: Eduardo Chappa Date: Wed, 8 May 2019 16:05:08 -0600 Subject: * Buffer overflow bug on auth_md5.c, where not enough dynamic memory was being allocated. Based on a report by Erich Eckner. --- imap/src/c-client/auth_md5.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'imap/src') diff --git a/imap/src/c-client/auth_md5.c b/imap/src/c-client/auth_md5.c index d4e7024b..d12fd299 100644 --- a/imap/src/c-client/auth_md5.c +++ b/imap/src/c-client/auth_md5.c @@ -113,11 +113,12 @@ long auth_md5_client (authchallenge_t challenger,authrespond_t responder, ret = LONGT; /* will get a BAD response back */ } else { /* got password, build response */ - sprintf (pwd,"%.65s %.33s",user,hmac_md5 (hshbuf,challenge,clen, + char tmp[128]; + sprintf (tmp,"%.65s %.33s",user,hmac_md5 (hshbuf,challenge,clen, pwd,strlen (pwd))); fs_give ((void **) &challenge); /* send credentials, allow retry if OK */ - if ((*responder) (stream,pwd,strlen (pwd))) { + if ((*responder) (stream,tmp,strlen (tmp))) { if ((challenge = (*challenger) (stream,&clen)) != NULL) fs_give ((void **) &challenge); else { @@ -125,10 +126,13 @@ long auth_md5_client (authchallenge_t challenger,authrespond_t responder, ret = LONGT; /* check the authentication */ } } - fs_give((void **) &pwd); + memset((void *) tmp, 0, sizeof(tmp)); } } - if(pwd) fs_give((void **) &pwd); + if(pwd){ + memset((void *) pwd, 0, strlen(pwd)); + fs_give((void **) &pwd); + } if (!ret) *trial = 65535; /* don't retry if bad protocol */ return ret; } -- cgit v1.2.3-70-g09d2