summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSergey Poznyakoff <gray@gnu.org.ua>2010-02-10 00:32:00 +0200
committerSergey Poznyakoff <gray@gnu.org.ua>2010-02-10 00:32:00 +0200
commit88c2fc773ed17a22beebaabafc9c8ce8ecfc939d (patch)
treeadcd1ef09c0358fea7c88c9e0bf20d0aec83c370
parent2235ee278c7b50002ba54e0f1e5ae5ef143f5629 (diff)
downloadmailutils-88c2fc773ed17a22beebaabafc9c8ce8ecfc939d.tar.gz
mailutils-88c2fc773ed17a22beebaabafc9c8ce8ecfc939d.tar.bz2
Fix memory override in smtp.c code. Fix ESMTP capability parsing.
* mailbox/base64.c (mu_base64_encode): Make sure output buffer is null-terminated. * imap4d/auth_gss.c (auth_gssapi): Assume buffer returned by mu_base64_encode is null-terminated. * libproto/mailer/smtp.c (cram_md5): Take challenge_len as argument. All callers updated. (smtp_auth): Fix eventual memory override. Assume buffer returned by mu_base64_encode is nul-terminated. (smtp_parse_ehlo_ack): Fix capability parsing: (a) do not depend on the continuation marker ('-' or ' ') and (b) fix parsing of the SIZE capablity. Move call to mu_rtrim_cset out of the internal loop.
-rw-r--r--imap4d/auth_gss.c6
-rw-r--r--libproto/mailer/smtp.c45
-rw-r--r--mailbox/base64.c8
3 files changed, 29 insertions, 30 deletions
diff --git a/imap4d/auth_gss.c b/imap4d/auth_gss.c
index a23113768..e85c25897 100644
--- a/imap4d/auth_gss.c
+++ b/imap4d/auth_gss.c
@@ -192,7 +192,7 @@ auth_gssapi (struct imap4d_command *command,
if (outbuf.length)
{
mu_base64_encode (outbuf.value, outbuf.length, &tmp, &size);
- util_send ("+ %*.*s\r\n", size, size, tmp);
+ util_send ("+ %s\r\n", tmp);
free (tmp);
gss_release_buffer (&min_stat, &outbuf);
}
@@ -212,7 +212,7 @@ auth_gssapi (struct imap4d_command *command,
if (outbuf.length)
{
mu_base64_encode (outbuf.value, outbuf.length, &tmp, &size);
- util_send ("+ %*.*s\r\n", size, size, tmp);
+ util_send ("+ %s\r\n", tmp);
free (tmp);
gss_release_buffer (&min_stat, &outbuf);
imap4d_getline (&token_str, &token_size, &token_len);
@@ -232,7 +232,7 @@ auth_gssapi (struct imap4d_command *command,
}
mu_base64_encode (outbuf.value, outbuf.length, &tmp, &size);
- util_send ("+ %*.*s\r\n", size, size, tmp);
+ util_send ("+ %s\r\n", tmp);
free (tmp);
imap4d_getline (&token_str, &token_size, &token_len);
diff --git a/libproto/mailer/smtp.c b/libproto/mailer/smtp.c
index 07b9db39a..32ccb66d3 100644
--- a/libproto/mailer/smtp.c
+++ b/libproto/mailer/smtp.c
@@ -630,13 +630,13 @@ smtp_starttls (smtp_t smtp)
}
static void
-cram_md5 (char *secret, unsigned char *challenge, unsigned char *digest)
+cram_md5 (char *secret, unsigned char *challenge, size_t challenge_len,
+ unsigned char *digest)
{
struct mu_md5_ctx context;
unsigned char ipad[64];
unsigned char opad[64];
int secret_len;
- int challenge_len;
int i;
if (secret == 0 || challenge == 0)
@@ -766,7 +766,7 @@ smtp_auth (smtp_t smtp)
mu_rtrim_cset (p, "\r\n");
mu_base64_decode ((unsigned char*) p, strlen (p), &chl, &chlen);
- cram_md5 ((char *) mu_secret_password (secret), chl, digest);
+ cram_md5 ((char *) mu_secret_password (secret), chl, chlen, digest);
mu_secret_password_unref (secret);
free (chl);
@@ -776,7 +776,6 @@ smtp_auth (smtp_t smtp)
mu_asnprintf (&buf, &buflen, "%s %s", user, ascii_digest);
buflen = strlen (buf);
mu_base64_encode ((unsigned char*) buf, buflen, &b64buf, &b64buflen);
- b64buf[b64buflen] = '\0';
free (buf);
status = smtp_writeline (smtp, "%s\r\n", b64buf);
@@ -818,7 +817,6 @@ smtp_auth (smtp_t smtp)
buf[c] = '\0';
}
mu_base64_encode ((unsigned char*) buf, buflen, &b64buf, &b64buflen);
- b64buf[b64buflen] = '\0';
free (buf);
status = smtp_writeline (smtp, "AUTH PLAIN %s\r\n", b64buf);
@@ -1398,42 +1396,43 @@ smtp_parse_ehlo_ack (smtp_t smtp)
status = smtp_readline (smtp);
if ((smtp->ptr - smtp->buffer) > 4 && smtp->buffer[3] == '-')
multi = 1;
- if (status == 0)
+ if (status == 0 && memcmp (smtp->buffer, "250", 3) == 0)
{
+ char *capa_str = smtp->buffer + 4;
+
smtp->ptr = smtp->buffer;
- if (!mu_c_strncasecmp (smtp->buffer, "250-STARTTLS", 12))
+ if (!mu_c_strncasecmp (capa_str, "STARTTLS", 8))
smtp->capa |= CAPA_STARTTLS;
- else if (!mu_c_strncasecmp (smtp->buffer, "250-SIZE", 8))
+ else if (!mu_c_strncasecmp (capa_str, "SIZE", 4))
{
+ char *p;
+ size_t n;
+
smtp->capa |= CAPA_SIZE;
- if (smtp->buffer[8] == '=')
- {
- char *p;
- size_t n = strtoul (smtp->buffer + 9, &p, 10);
-
- if (*p != '\n')
- MU_DEBUG1 (smtp->mailer->debug, MU_DEBUG_ERROR,
- "suspicious size declaration: %s",
- smtp->buffer);
- else
- smtp->max_size = n;
- }
+
+ n = strtoul (capa_str + 5, &p, 10);
+ if (*p != '\n')
+ MU_DEBUG1 (smtp->mailer->debug, MU_DEBUG_ERROR,
+ "suspicious size capability: %s",
+ smtp->buffer);
+ else
+ smtp->max_size = n;
}
- else if (!mu_c_strncasecmp (smtp->buffer, "250-AUTH", 8))
+ else if (!mu_c_strncasecmp (capa_str, "AUTH", 4))
{
char *name, *s;
smtp->capa |= CAPA_AUTH;
- for (name = strtok_r (smtp->buffer + 8, " ", &s); name;
+ for (name = strtok_r (capa_str + 5, " ", &s); name;
name = strtok_r (NULL, " ", &s))
{
struct auth_mech_record *mechs = auth_mech_list;
+ mu_rtrim_cset (name, "\r\n");
for (; mechs->name; mechs++)
{
- mu_rtrim_cset (name, "\r\n");
if (!mu_c_strcasecmp (mechs->name, name))
{
smtp->auth_mechs |= mechs->id;
diff --git a/mailbox/base64.c b/mailbox/base64.c
index 4c67a48a2..65e8f5c00 100644
--- a/mailbox/base64.c
+++ b/mailbox/base64.c
@@ -26,11 +26,11 @@
int
mu_base64_encode (const unsigned char *input, size_t input_len,
- unsigned char **output, size_t * output_len)
+ unsigned char **output, size_t *output_len)
{
static char b64tab[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
- size_t olen = 4 * (input_len + 2) / 3;
+ size_t olen = 4 * (input_len + 2) / 3 + 1;
unsigned char *out = malloc (olen);
if (!out)
@@ -42,7 +42,6 @@ mu_base64_encode (const unsigned char *input, size_t input_len,
*out++ = b64tab[((input[0] << 4) & 0x30) | (input[1] >> 4)];
*out++ = b64tab[((input[1] << 2) & 0x3c) | (input[2] >> 6)];
*out++ = b64tab[input[2] & 0x3f];
- olen -= 4;
input_len -= 3;
input += 3;
}
@@ -58,12 +57,13 @@ mu_base64_encode (const unsigned char *input, size_t input_len,
*out++ = '=';
}
*output_len = out - *output;
+ *out = 0;
return 0;
}
int
mu_base64_decode (const unsigned char *input, size_t input_len,
- unsigned char **output, size_t * output_len)
+ unsigned char **output, size_t *output_len)
{
static int b64val[128] = {
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,

Return to:

Send suggestions and report system problems to the System administrator.