Hi, I tested courier and courier-authlib compiled with address sanitizer. This uncovered an out of bounds memory access in the file authgetconfig.c in courier-authlib:
if (memcmp(p, env, l) == 0 && The problem here is that p might actually be shorter than l and thus this reads invalid memory. One possible fix (and probably the easiest) is to use strncmp instead. See attached patch. This is very similar to an issue I reported previously that got fixed here: https://github.com/svarshavchik/courier-libs/commit/174541a2e670c0ee70fd2fb3116209f96ecc173e Please apply patch. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42
--- a/authgetconfig.c 2013-08-25 20:44:47.000000000 +0200 +++ b/authgetconfig.c 2015-11-14 19:08:02.909325278 +0100 @@ -76,7 +76,7 @@ for (i=0; i<configauth_size; ) { p=configauth+i; - if (memcmp(p, env, l) == 0 && + if (strncmp(p, env, l) == 0 && isspace((int)(unsigned char)p[l])) { p += l;
pgp57eEKKIJsH.pgp
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users