diff options
| author | Eric S. Raymond <esr@thyrsus.com> | 2002-03-10 19:24:11 +0000 |
|---|---|---|
| committer | Eric S. Raymond <esr@thyrsus.com> | 2002-03-10 19:24:11 +0000 |
| commit | 7c33daaf6fd2bd4342903ad5ce025b5ab6bc89bd (patch) | |
| tree | 613a7a5f2f17881ac42330d1d7de81b7a33e6fcb /driver.c | |
| parent | 45f7b08b6abff402a2feaadbdda4ff33155ef6ef (diff) | |
| download | fetchmail-7c33daaf6fd2bd4342903ad5ce025b5ab6bc89bd.tar.gz fetchmail-7c33daaf6fd2bd4342903ad5ce025b5ab6bc89bd.tar.bz2 fetchmail-7c33daaf6fd2bd4342903ad5ce025b5ab6bc89bd.zip | |
Ready to put in esmtp password.
svn path=/trunk/; revision=3595
Diffstat (limited to 'driver.c')
| -rw-r--r-- | driver.c | 14 |
1 files changed, 14 insertions, 0 deletions
@@ -15,6 +15,7 @@ #endif /* HAVE_MEMORY_H */ #if defined(STDC_HEADERS) #include <stdlib.h> +#include <limits.h> #endif #if defined(HAVE_UNISTD_H) #include <unistd.h> @@ -1301,6 +1302,19 @@ is restored.")); */ force_retrieval = !peek_capable && (ctl->errcount > 0); + /* + * Don't trust the message count passed by the server. + * Without this check, it might be possible to do a + * DNS-spoofing attack that would pass back a ridiculous + * count, and allocate a malloc area that would overlap + * a portion of the stack. + */ + if (count > INT_MAX/sizeof(int)) + { + report(stderr, "bogus message count!"); + return(PS_PROTOCOL); + } + /* OK, we're going to gather size info next */ xalloca(msgsizes, int *, sizeof(int) * count); xalloca(msgcodes, int *, sizeof(int) * count); |