On 18/03/2019 14:40, zerons via Exim-users wrote: > I am reading exim code now. A piece of code in auth_client_item() > come to my attention.
> I wonder if `ss` could be something like this: '^^^^', or '^^aaaaaaaa^'. > If so, then `len` could be less than `i`, lead to memory corruption in > memmove. You are correct, and it's been like that since at least 2004. Fortunately it takes a gratuitously malconfigured client_send string to induce it (at least for PLAIN and LOGIN uses), so probably nobody was ever bitten. A simple check on i vs. len avoids the crash; I don't intend to deal any better with it since the ^-escaping is a kludge here (I see no way to have a literal ^ at the start or right after a ^-signalled NUL). Thanks for the careful code inspection. -- Jeremy -- ## List details at https://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
