Do not overrun plugin string when copying it.

parse_plugin() expands the % in plugin string to plugin_copy. It checks that is does not write behind the end of the destination memory, but the source length was not checked. This resulted in reading from a possibly invalid memory location which may cause a segmentation fault. Add a check for the string length of the source.
author: Alexander Bluhm <alexander.bluhm@gmx.net> 2017-08-10 19:38:24 +0200
committer: Alexander Bluhm <alexander.bluhm@gmx.net> 2017-08-10 19:56:39 +0200
commit: 418cda65f752e367fa663fd13884a45fcbc39ddd (patch)
tree: 88d7f97d60a5c14c9259e4940761cd2855d22e07 /socket.c
parent: 53e6c9984e8f533f57daef7d5c3c57c2d9a7bee9 (diff)
download: fetchmail-418cda65f752e367fa663fd13884a45fcbc39ddd.tar.gz
fetchmail-418cda65f752e367fa663fd13884a45fcbc39ddd.tar.bz2
fetchmail-418cda65f752e367fa663fd13884a45fcbc39ddd.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/socket.c b/socket.c
index 546a6bd4..93e43e69 100644
--- a/socket.c
+++ b/socket.c
@@ -111,7 +111,7 @@ static char *const *parse_plugin(const char *plugin, const char *host, const cha
 		return NULL;
 	}
 
-	while (plugin_copy_offset < plugin_copy_len)
+	while (plugin_offset < plugin_len && plugin_copy_offset < plugin_copy_len)
 	{	if ((plugin[plugin_offset] == '%') && (plugin[plugin_offset + 1] == 'h'))
 		{	strcpy(plugin_copy + plugin_copy_offset, host);
 			plugin_offset += 2;
author	Alexander Bluhm <alexander.bluhm@gmx.net>	2017-08-10 19:38:24 +0200
committer	Alexander Bluhm <alexander.bluhm@gmx.net>	2017-08-10 19:56:39 +0200
commit	418cda65f752e367fa663fd13884a45fcbc39ddd (patch)
tree	88d7f97d60a5c14c9259e4940761cd2855d22e07 /socket.c
parent	53e6c9984e8f533f57daef7d5c3c57c2d9a7bee9 (diff)
download	fetchmail-418cda65f752e367fa663fd13884a45fcbc39ddd.tar.gz fetchmail-418cda65f752e367fa663fd13884a45fcbc39ddd.tar.bz2 fetchmail-418cda65f752e367fa663fd13884a45fcbc39ddd.zip