Auths: fix possible OOB write in SPA authenticator. Bug 3000

(cherry picked from commit e17b8b0f19b25a223b0cc41933b881c3a1073e61)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 2f7135909d3226d78248da6e56be9277b35d2904..97987f014387d8bb5e8cd35d1e6c567551c8ba04 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -196,6 +196,9 @@ JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings
 JH/40 Bug 2999: Fix a possible OOB write in the external authenticator, which
       could be triggered by externally-supplied input.  Found by Trend Micro.
 
+JH/41 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could
+      be triggered by externally-controlled input.  Found by Trend Micro.
+
 
 Exim version 4.96
 -----------------

diff --git a/src/src/auths/auth-spa.c b/src/src/auths/auth-spa.c
index ec763e5b085a4aee46756157d25430da15f6d8ce..27e95805b856b0d8d5f8ce833a64a8114c46412b 100644 (file)
--- a/src/src/auths/auth-spa.c
+++ b/src/src/auths/auth-spa.c
@@ -1214,7 +1214,9 @@ char versionString[] = "libntlm version 0.21";
 
 #define spa_bytes_add(ptr, header, buf, count) \
 { \
-if (buf && (count) != 0) /* we hate -Wint-in-bool-contex */ \
+if (  buf && (count) != 0      /* we hate -Wint-in-bool-contex */ \
+   && ptr->bufIndex + count < sizeof(ptr->buffer)              \
+   ) \
   { \
   SSVAL(&ptr->header.len,0,count); \
   SSVAL(&ptr->header.maxlen,0,count); \