auth: Fix potential read buffer overflow in PLAIN mechanism

The overflow could have crashed the auth process in theory, although
practically it doesn't seem to happen.

diff --git a/src/auth/mech-plain.c b/src/auth/mech-plain.c
index 444b0ff4b897b2926209a417c2920cc3ad3e209c..3bb715f1ca9124754d6edec021ccf2ffe82e340a 100644 (file)
--- a/src/auth/mech-plain.c
+++ b/src/auth/mech-plain.c
@@ -35,7 +35,7 @@ mech_plain_auth_continue(struct auth_request *request,
                }
        }
 
-       if (authenid != NULL && strcmp(authid, authenid) == 0) {
+       if (count == 2 && authenid != NULL && strcmp(authid, authenid) == 0) {
                /* the login username isn't different */
                authid = "";
        }

diff --git a/src/auth/test-mech.c b/src/auth/test-mech.c
index 322c1e9c69d9955dd5d237ff5ffe29516dba7028..397e3672281c759e929d0a2eb3aefeae5e8d0645 100644 (file)
--- a/src/auth/test-mech.c
+++ b/src/auth/test-mech.c
@@ -259,6 +259,7 @@ static void test_mechs(void)
                {&mech_apop, UCHAR_LEN("1.1.1"), NULL, NULL, FALSE, FALSE, FALSE},
                {&mech_otp, UCHAR_LEN("somebody\0testuser"), "testuser", "otp(testuser): unsupported response type", FALSE, TRUE, FALSE},
                {&mech_cram_md5, UCHAR_LEN("testuser\0response"), "testuser", NULL, FALSE, FALSE, FALSE},
+               {&mech_plain, UCHAR_LEN("testuser\0"), "testuser", NULL, FALSE, FALSE, FALSE},
 
                /* Covering most of the digest md5 parsing */
                {&mech_digest_md5, UCHAR_LEN("username=\"testuser@example.com\",realm=\"example.com\",cnonce=\"OA6MHXh6VqTrRk\",response=d388dad90d4bbd760a152321f2143af7,qop=\"auth\""), NULL, NULL, FALSE, FALSE, FALSE},