Auths: fix possible OOB write in SPA authenticator. Bug 3000

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index eb8c3588ee5f4768c56256546ebdf73e625d1441..95377514f96a74c092a8d432b39e676d55a36155 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -196,6 +196,9 @@ JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings
 JH/40 Bug 2999: Fix a possible OOB write in the external authenticator, which
       could be triggered by externally-supplied input.  Found by Trend Micro.
 
+JH/41 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could
+      be triggered by externally-controlled input.  Found by Trend Micro.
+
 
 Exim version 4.96
 -----------------

diff --git a/src/src/auths/auth-spa.c b/src/src/auths/auth-spa.c
index ff683a2dd7b5c29eb65da8604b1866811a44b01e..d7a12aa23da35018099366d47e3d6ab30ae60dcb 100644 (file)
--- a/src/src/auths/auth-spa.c
+++ b/src/src/auths/auth-spa.c
@@ -1215,7 +1215,9 @@ char versionString[] = "libntlm version 0.21";
 
 #define spa_bytes_add(ptr, header, buf, count) \
 { \
-if (buf && (count) != 0) /* we hate -Wint-in-bool-contex */ \
+if (  buf && (count) != 0      /* we hate -Wint-in-bool-contex */ \
+   && ptr->bufIndex + count < sizeof(ptr->buffer)              \
+   ) \
   { \
   SSVAL(&ptr->header.len,0,count); \
   SSVAL(&ptr->header.maxlen,0,count); \