aboutsummaryrefslogtreecommitdiffstats
path: root/gssapi.c
diff options
context:
space:
mode:
authorMatthias Andree <matthias.andree@gmx.de>2018-04-14 20:39:39 +0200
committerMatthias Andree <matthias.andree@gmx.de>2018-04-14 20:39:39 +0200
commit9ad747acc03b6184bfa1387caad0044e5296439e (patch)
tree139e853bb9bdf9821ea46ed9f9fe35b4f0031b95 /gssapi.c
parent07f01ce3e566e0c7fd4fa859d759dd70140dcf4e (diff)
downloadfetchmail-9ad747acc03b6184bfa1387caad0044e5296439e.tar.gz
fetchmail-9ad747acc03b6184bfa1387caad0044e5296439e.tar.bz2
fetchmail-9ad747acc03b6184bfa1387caad0044e5296439e.zip
Prevent buffer overruns in do_gssauth() with long user names.
Reported in private by Greg Hudson.
Diffstat (limited to 'gssapi.c')
-rw-r--r--gssapi.c11
1 files changed, 10 insertions, 1 deletions
diff --git a/gssapi.c b/gssapi.c
index 31247e3b..85f19a66 100644
--- a/gssapi.c
+++ b/gssapi.c
@@ -268,7 +268,12 @@ cancelfail:
buf_size = htonl(buf_size); /* do as they do... only matters if we do enc */
memcpy(buf1, &buf_size, 4);
buf1[0] = GSSAUTH_P_NONE;
- strlcpy(buf1+4, username, sizeof(buf1) - 4); /* server decides if princ is user */
+ if (strlcpy(buf1 + 4, username, sizeof(buf1) - 4) >= sizeof(buf1) - 4)
+ {
+ report(stderr, GT_("GSSAPI username too long for static buffer.\n"));
+ goto cancelfail;
+ }
+ /* server decides if princ is user */
request_buf.length = 4 + strlen(username);
request_buf.value = buf1;
maj_stat = gss_wrap(&min_stat, context, 0, GSS_C_QOP_DEFAULT, &request_buf,
@@ -277,6 +282,10 @@ cancelfail:
report(stderr, GT_("Error creating security level request\n"));
return PS_AUTHFAIL;
}
+ if ((send_token.length + 3) * 4/3 >= sizeof(buf1) - 1) {
+ report(stderr, GT_("GSSAPI send_token too large (%llu) while sending username.\n"), (unsigned long long)send_token.length);
+ goto cancelfail;
+ }
to64frombits(buf1, send_token.value, send_token.length);
suppress_tags = TRUE;
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-16 11:42:29 +0000