45 lines
1.5 KiB
Diff
45 lines
1.5 KiB
Diff
commit 4c3cebfa4e659fb778ca2cae0ccb3f69201609a8
|
|
Author: Matthias Andree <matthias.andree@gmx.de>
|
|
Date: Fri Oct 3 13:11:59 2025 +0200
|
|
|
|
Security fix: avoid NULL+1 deref on invalid AUTH reply
|
|
|
|
When fetchmail receives a 334 reply from the SMTP server
|
|
that does not contain the mandated blank after that response
|
|
code, it will attempt reading from memory location 1, which
|
|
will usually lead to a crash.
|
|
|
|
The simpler fix would have been to check for four bytes "334 "
|
|
instead of three bytes "334" but that would make malformed
|
|
replies and those that don't match the expected reply code
|
|
indistinguishable.
|
|
|
|
Index: fetchmail-6.5.2/smtp.c
|
|
===================================================================
|
|
--- fetchmail-6.5.2.orig/smtp.c
|
|
+++ fetchmail-6.5.2/smtp.c
|
|
@@ -93,6 +93,11 @@ static void SMTP_auth(int sock, char smt
|
|
}
|
|
|
|
p = strchr(tmp, ' ');
|
|
+ if (!p) {
|
|
+ report(stderr, "%s: \"%s\"\n", GT_("Malformed server reply"), visbuf(tmp));
|
|
+ SMTP_auth_error(sock, "");
|
|
+ return;
|
|
+ }
|
|
p++;
|
|
/* (hmh) from64tobits will not NULL-terminate strings! */
|
|
if (from64tobits(b64buf, p, sizeof(b64buf) - 1) <= 0) {
|
|
@@ -146,6 +151,11 @@ static void SMTP_auth(int sock, char smt
|
|
}
|
|
|
|
p = strchr(tmp, ' ');
|
|
+ if (!p) {
|
|
+ report(stderr, "%s: \"%s\"\n", GT_("Malformed server reply"), visbuf(tmp));
|
|
+ SMTP_auth_error(sock, "");
|
|
+ return;
|
|
+ }
|
|
p++;
|
|
if (from64tobits(b64buf, p, sizeof(b64buf) - 1) <= 0) {
|
|
SMTP_auth_error(sock, GT_("Bad base64 reply from server.\n"));
|