Prevent buffer overruns in do_gssauth() with long user names.

Reported in private by Greg Hudson.

2 files changed, 14 insertions, 1 deletions

diff --git a/NEWS b/NEWS
index a9ef33b6..d910c19d 100644
--- a/NEWS
+++ b/NEWS
@@ -88,6 +88,10 @@ fetchmail-6.4.0 (not yet released):
   in favour of another configuration option that makes the insecurity in using
   this option clearer.
 
+## SECURITY FIXES
+* Fetchmail prevents buffer overruns in GSSAPI authentication with user names
+  beyond c. 6000 characters in length. Reported by Greg Hudson.
+
 ## CHANGES
 * fetchmail 6.3.X is unsupported.
 * fetchmail now requires OpenSSL v1.0.2 or newer.
diff --git a/gssapi.c b/gssapi.c
index 31247e3b..85f19a66 100644
--- a/gssapi.c
+++ b/gssapi.c
@@ -268,7 +268,12 @@ cancelfail:
     buf_size = htonl(buf_size); /* do as they do... only matters if we do enc */
     memcpy(buf1, &buf_size, 4);
     buf1[0] = GSSAUTH_P_NONE;
-    strlcpy(buf1+4, username, sizeof(buf1) - 4); /* server decides if princ is user */
+    if (strlcpy(buf1 + 4, username, sizeof(buf1) - 4) >= sizeof(buf1) - 4)
+    {
+	   report(stderr, GT_("GSSAPI username too long for static buffer.\n"));
+	   goto cancelfail;
+    }
+    /* server decides if princ is user */
     request_buf.length = 4 + strlen(username);
     request_buf.value = buf1;
     maj_stat = gss_wrap(&min_stat, context, 0, GSS_C_QOP_DEFAULT, &request_buf,
@@ -277,6 +282,10 @@ cancelfail:
         report(stderr, GT_("Error creating security level request\n"));
         return PS_AUTHFAIL;
     }
+    if ((send_token.length + 3) * 4/3 >= sizeof(buf1) - 1) {
+	    report(stderr, GT_("GSSAPI send_token too large (%llu) while sending username.\n"), (unsigned long long)send_token.length);
+	    goto cancelfail;
+    }
     to64frombits(buf1, send_token.value, send_token.length);
 
     suppress_tags = TRUE;