From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 11 May 2023 17:02:43 +0000 (+0100)
Subject: Auths: fix possible OOB write in external authenticator.  Bug 2999
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/7bb5bc2c6592e062bf0b514cc71afd2d93e2e0dd

Auths: fix possible OOB write in external authenticator.  Bug 2999
---

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 5fcc8ab11..eb8c3588e 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -193,6 +193,9 @@ JH/38 Taint-track intermediate values from the peer in multi-stage authentation
 JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings
       and ${tr...}.  Found and diagnosed by Heiko Schlichting.
 
+JH/40 Bug 2999: Fix a possible OOB write in the external authenticator, which
+      could be triggered by externally-supplied input.  Found by Trend Micro.
+
 
 Exim version 4.96
 -----------------
diff --git a/src/src/auths/external.c b/src/src/auths/external.c
index 078aad0fa..f6aa527f2 100644
--- a/src/src/auths/external.c
+++ b/src/src/auths/external.c
@@ -104,7 +104,7 @@ if (expand_nmax == 0) 	/* skip if rxd data */
 if (ob->server_param2)
   {
   uschar * s = expand_string(ob->server_param2);
-  auth_vars[expand_nmax] = s;
+  auth_vars[expand_nmax = 1] = s;
   expand_nstring[++expand_nmax] = s;
   expand_nlength[expand_nmax] = Ustrlen(s);
   if (ob->server_param3)