Hi, I tested courier and courier-authlib compiled with address sanitizer. This uncovered an out of bounds memory access in the file authgetconfig.c in courier-authlib:
if (memcmp(p, env, l) == 0 &&
The problem here is that p might actually be shorter than l and thus
this reads invalid memory.
One possible fix (and probably the easiest) is to use strncmp instead.
See attached patch.
This is very similar to an issue I reported previously that got fixed
here:
https://github.com/svarshavchik/courier-libs/commit/174541a2e670c0ee70fd2fb3116209f96ecc173e
Please apply patch.
cu,
--
Hanno Böck
http://hboeck.de/
mail/jabber: [email protected]
GPG: BBB51E42
--- a/authgetconfig.c 2013-08-25 20:44:47.000000000 +0200
+++ b/authgetconfig.c 2015-11-14 19:08:02.909325278 +0100
@@ -76,7 +76,7 @@
for (i=0; i<configauth_size; )
{
p=configauth+i;
- if (memcmp(p, env, l) == 0 &&
+ if (strncmp(p, env, l) == 0 &&
isspace((int)(unsigned char)p[l]))
{
p += l;
pgp57eEKKIJsH.pgp
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ courier-users mailing list [email protected] Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
