From 9ad747acc03b6184bfa1387caad0044e5296439e Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Sat, 14 Apr 2018 20:39:39 +0200 Subject: Prevent buffer overruns in do_gssauth() with long user names. Reported in private by Greg Hudson. --- NEWS | 4 ++++ gssapi.c | 11 ++++++++++- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index a9ef33b6..d910c19d 100644 --- a/NEWS +++ b/NEWS @@ -88,6 +88,10 @@ fetchmail-6.4.0 (not yet released): in favour of another configuration option that makes the insecurity in using this option clearer. +## SECURITY FIXES +* Fetchmail prevents buffer overruns in GSSAPI authentication with user names + beyond c. 6000 characters in length. Reported by Greg Hudson. + ## CHANGES * fetchmail 6.3.X is unsupported. * fetchmail now requires OpenSSL v1.0.2 or newer. diff --git a/gssapi.c b/gssapi.c index 31247e3b..85f19a66 100644 --- a/gssapi.c +++ b/gssapi.c @@ -268,7 +268,12 @@ cancelfail: buf_size = htonl(buf_size); /* do as they do... only matters if we do enc */ memcpy(buf1, &buf_size, 4); buf1[0] = GSSAUTH_P_NONE; - strlcpy(buf1+4, username, sizeof(buf1) - 4); /* server decides if princ is user */ + if (strlcpy(buf1 + 4, username, sizeof(buf1) - 4) >= sizeof(buf1) - 4) + { + report(stderr, GT_("GSSAPI username too long for static buffer.\n")); + goto cancelfail; + } + /* server decides if princ is user */ request_buf.length = 4 + strlen(username); request_buf.value = buf1; maj_stat = gss_wrap(&min_stat, context, 0, GSS_C_QOP_DEFAULT, &request_buf, @@ -277,6 +282,10 @@ cancelfail: report(stderr, GT_("Error creating security level request\n")); return PS_AUTHFAIL; } + if ((send_token.length + 3) * 4/3 >= sizeof(buf1) - 1) { + report(stderr, GT_("GSSAPI send_token too large (%llu) while sending username.\n"), (unsigned long long)send_token.length); + goto cancelfail; + } to64frombits(buf1, send_token.value, send_token.length); suppress_tags = TRUE; -- cgit v1.2.3