From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 11 May 2023 18:31:54 +0000 (+0100)
Subject: Auths: fix possible OOB write in SPA authenticator.  Bug 3000
X-Git-Tag: exim-4.96.1~2
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/936e342d560e218c2aee5cb2295be925c27c2106

Auths: fix possible OOB write in SPA authenticator.  Bug 3000

(cherry picked from commit e17b8b0f19b25a223b0cc41933b881c3a1073e61)
---

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 2f7135909..97987f014 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -196,6 +196,9 @@ JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings
 JH/40 Bug 2999: Fix a possible OOB write in the external authenticator, which
       could be triggered by externally-supplied input.  Found by Trend Micro.
 
+JH/41 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could
+      be triggered by externally-controlled input.  Found by Trend Micro.
+
 
 Exim version 4.96
 -----------------
diff --git a/src/src/auths/auth-spa.c b/src/src/auths/auth-spa.c
index ec763e5b0..27e95805b 100644
--- a/src/src/auths/auth-spa.c
+++ b/src/src/auths/auth-spa.c
@@ -1214,7 +1214,9 @@ char versionString[] = "libntlm version 0.21";
 
 #define spa_bytes_add(ptr, header, buf, count) \
 { \
-if (buf && (count) != 0) /* we hate -Wint-in-bool-contex */ \
+if (  buf && (count) != 0	/* we hate -Wint-in-bool-contex */ \
+   && ptr->bufIndex + count < sizeof(ptr->buffer)		\
+   ) \
   { \
   SSVAL(&ptr->header.len,0,count); \
   SSVAL(&ptr->header.maxlen,0,count); \