diff options
-rw-r--r-- | base64.c | 6 | ||||
-rw-r--r-- | cram.c | 2 | ||||
-rw-r--r-- | fetchmail.h | 2 | ||||
-rw-r--r-- | gssapi.c | 4 | ||||
-rw-r--r-- | kerberos.c | 4 | ||||
-rw-r--r-- | unmime.c | 4 |
6 files changed, 12 insertions, 10 deletions
@@ -52,7 +52,7 @@ void to64frombits(unsigned char *out, const unsigned char *in, int inlen) *out = '\0'; } -int from64tobits(char *out, const char *in) +int from64tobits(char *out, const char *in, int maxlen) /* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */ { int len = 0; @@ -77,8 +77,10 @@ int from64tobits(char *out, const char *in) if (digit4 != '=' && DECODE64(digit4) == BAD) return(-1); in += 4; - *out++ = (DECODE64(digit1) << 2) | (DECODE64(digit2) >> 4); ++len; + if (len && len >= maxlen) /* prevent buffer overflow */ + return(-1); + *out++ = (DECODE64(digit1) << 2) | (DECODE64(digit2) >> 4); if (digit3 != '=') { *out++ = ((DECODE64(digit2) << 4) & 0xf0) | (DECODE64(digit3) >> 2); @@ -89,7 +89,7 @@ int do_cram_md5 (int sock, char *command, struct query *ctl, char *strip) respdata = buf1; if (strip && strncmp(buf1, strip, strlen(strip)) == 0) respdata += strlen(strip); - len = from64tobits (msg_id, respdata); + len = from64tobits (msg_id, respdata, sizeof(msg_id)); if (len < 0) { report (stderr, GT_("could not decode BASE64 challenge\n")); diff --git a/fetchmail.h b/fetchmail.h index b8963ce8..1380ee95 100644 --- a/fetchmail.h +++ b/fetchmail.h @@ -505,7 +505,7 @@ int prc_filecheck(const char *, const flag); /* base64.c */ void to64frombits(unsigned char *, const unsigned char *, int); -int from64tobits(char *, const char *); +int from64tobits(char *, const char *, int len); /* unmime.c */ /* Bit-mask returned by MimeBodyType */ @@ -119,7 +119,7 @@ int do_gssauth(int sock, char *command, char *hostname, char *username) gss_release_name(&min_stat, &target_name); return result; } - request_buf.length = from64tobits(buf2, buf1 + 2); + request_buf.length = from64tobits(buf2, buf1 + 2, sizeof(buf2)); request_buf.value = buf2; sec_token = &request_buf; } @@ -131,7 +131,7 @@ int do_gssauth(int sock, char *command, char *hostname, char *username) if (result = gen_recv(sock, buf1, sizeof buf1)) return result; - request_buf.length = from64tobits(buf2, buf1 + 2); + request_buf.length = from64tobits(buf2, buf1 + 2, sizeof(buf2)); request_buf.value = buf2; maj_stat = gss_unwrap(&min_stat, context, @@ -69,7 +69,7 @@ int do_rfc1731(int sock, char *command, char *truename) return result; } - len = from64tobits(challenge1.cstr, buf1); + len = from64tobits(challenge1.cstr, buf1, sizeof(challenge1.cstr)); if (len < 0) { report(stderr, GT_("could not decode initial BASE64 challenge\n")); return PS_AUTHFAIL; @@ -208,7 +208,7 @@ int do_rfc1731(int sock, char *command, char *truename) * process is complete. */ - len = from64tobits(buf2, buf1); + len = from64tobits(buf2, buf1, sizeof(buf2x)); if (len < 0) { report(stderr, GT_("could not decode BASE64 ready response\n")); return PS_AUTHFAIL; @@ -71,7 +71,7 @@ void UnMimeHeader(unsigned char *hdr) /* Note: Decoding is done "in-situ", i.e. without using an * additional buffer for temp. storage. This is possible, since the * decoded string will always be shorter than the encoded string, - * due to the en- coding scheme. + * due to the encoding scheme. */ int state = S_COPY_PLAIN; @@ -171,7 +171,7 @@ void UnMimeHeader(unsigned char *hdr) int decoded_count; delimsave = *p; *p = '\r'; - decoded_count = from64tobits(p_out, p_in); + decoded_count = from64tobits(p_out, p_in, 0); *p = delimsave; if (decoded_count > 0) p_out += decoded_count; |