From: Timo Sirainen Date: Wed, 26 Aug 2020 08:31:01 +0000 (+0300) Subject: auth: Fix potential read buffer overflow in PLAIN mechanism X-Git-Tag: 2.3.13~131 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bf1c45440abc381165af61a40bef600b475c0f6a;p=thirdparty%2Fdovecot%2Fcore.git auth: Fix potential read buffer overflow in PLAIN mechanism The overflow could have crashed the auth process in theory, although practically it doesn't seem to happen. --- diff --git a/src/auth/mech-plain.c b/src/auth/mech-plain.c index 444b0ff4b8..3bb715f1ca 100644 --- a/src/auth/mech-plain.c +++ b/src/auth/mech-plain.c @@ -35,7 +35,7 @@ mech_plain_auth_continue(struct auth_request *request, } } - if (authenid != NULL && strcmp(authid, authenid) == 0) { + if (count == 2 && authenid != NULL && strcmp(authid, authenid) == 0) { /* the login username isn't different */ authid = ""; } diff --git a/src/auth/test-mech.c b/src/auth/test-mech.c index 322c1e9c69..397e367228 100644 --- a/src/auth/test-mech.c +++ b/src/auth/test-mech.c @@ -259,6 +259,7 @@ static void test_mechs(void) {&mech_apop, UCHAR_LEN("1.1.1"), NULL, NULL, FALSE, FALSE, FALSE}, {&mech_otp, UCHAR_LEN("somebody\0testuser"), "testuser", "otp(testuser): unsupported response type", FALSE, TRUE, FALSE}, {&mech_cram_md5, UCHAR_LEN("testuser\0response"), "testuser", NULL, FALSE, FALSE, FALSE}, + {&mech_plain, UCHAR_LEN("testuser\0"), "testuser", NULL, FALSE, FALSE, FALSE}, /* Covering most of the digest md5 parsing */ {&mech_digest_md5, UCHAR_LEN("username=\"testuser@example.com\",realm=\"example.com\",cnonce=\"OA6MHXh6VqTrRk\",response=d388dad90d4bbd760a152321f2143af7,qop=\"auth\""), NULL, NULL, FALSE, FALSE, FALSE},