From 936e342d560e218c2aee5cb2295be925c27c2106 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 11 May 2023 19:31:54 +0100 Subject: [PATCH 1/1] Auths: fix possible OOB write in SPA authenticator. Bug 3000 (cherry picked from commit e17b8b0f19b25a223b0cc41933b881c3a1073e61) --- doc/doc-txt/ChangeLog | 3 +++ src/src/auths/auth-spa.c | 4 +++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 2f7135909..97987f014 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -196,6 +196,9 @@ JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings JH/40 Bug 2999: Fix a possible OOB write in the external authenticator, which could be triggered by externally-supplied input. Found by Trend Micro. +JH/41 Bug 3000: Fix a possible OOB write in the SPA authenticator, which could + be triggered by externally-controlled input. Found by Trend Micro. + Exim version 4.96 ----------------- diff --git a/src/src/auths/auth-spa.c b/src/src/auths/auth-spa.c index ec763e5b0..27e95805b 100644 --- a/src/src/auths/auth-spa.c +++ b/src/src/auths/auth-spa.c @@ -1214,7 +1214,9 @@ char versionString[] = "libntlm version 0.21"; #define spa_bytes_add(ptr, header, buf, count) \ { \ -if (buf && (count) != 0) /* we hate -Wint-in-bool-contex */ \ +if ( buf && (count) != 0 /* we hate -Wint-in-bool-contex */ \ + && ptr->bufIndex + count < sizeof(ptr->buffer) \ + ) \ { \ SSVAL(&ptr->header.len,0,count); \ SSVAL(&ptr->header.maxlen,0,count); \ -- 2.30.2