[courier-users] [PATCH] avoid invalid memory read in courier-authlib / authgetconfig
Hi, I tested courier and courier-authlib compiled with address sanitizer. This uncovered an out of bounds memory access in the file authgetconfig.c in courier-authlib: if (memcmp(p, env, l) == 0 && The problem here is that p might actually be shorter than l and thus this reads invalid memory. One possible fix (and probably the easiest) is to use strncmp instead. See attached patch. This is very similar to an issue I reported previously that got fixed here: https://github.com/svarshavchik/courier-libs/commit/174541a2e670c0ee70fd2fb3116209f96ecc173e Please apply patch. cu, -- Hanno Böck http://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: BBB51E42 --- a/authgetconfig.c 2013-08-25 20:44:47.0 +0200 +++ b/authgetconfig.c 2015-11-14 19:08:02.909325278 +0100 @@ -76,7 +76,7 @@ for (i=0; i
Re: [courier-users] [PATCH] avoid invalid memory read in courier-authlib / authgetconfig
Hanno Böck writes: Hi, I tested courier and courier-authlib compiled with address sanitizer. This uncovered an out of bounds memory access in the file authgetconfig.c in courier-authlib: if (memcmp(p, env, l) == 0 && The problem here is that p might actually be shorter than l and thus this reads invalid memory. One possible fix (and probably the easiest) is to use strncmp instead. See attached patch. This looks ok, thanks for finding this. pgpVv0ipzwA8i.pgp Description: PGP signature -- ___ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users