From 7c33daaf6fd2bd4342903ad5ce025b5ab6bc89bd Mon Sep 17 00:00:00 2001
From: "Eric S. Raymond" <esr@thyrsus.com>
Date: Sun, 10 Mar 2002 19:24:11 +0000
Subject: Ready to put in esmtp password.

svn path=/trunk/; revision=3595
---
 driver.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

(limited to 'driver.c')

diff --git a/driver.c b/driver.c
index 56c37a73..a94c2445 100644
--- a/driver.c
+++ b/driver.c
@@ -15,6 +15,7 @@
 #endif /* HAVE_MEMORY_H */
 #if defined(STDC_HEADERS)
 #include  <stdlib.h>
+#include  <limits.h>
 #endif
 #if defined(HAVE_UNISTD_H)
 #include <unistd.h>
@@ -1301,6 +1302,19 @@ is restored."));
 		     */
 		    force_retrieval = !peek_capable && (ctl->errcount > 0);
 
+		    /*
+		     * Don't trust the message count passed by the server.
+		     * Without this check, it might be possible to do a
+		     * DNS-spoofing attack that would pass back a ridiculous 
+		     * count, and allocate a malloc area that would overlap
+		     * a portion of the stack.
+		     */
+		    if (count > INT_MAX/sizeof(int))
+		    {
+			report(stderr, "bogus message count!");
+			return(PS_PROTOCOL);
+		    }
+
 		    /* OK, we're going to gather size info next */
 		    xalloca(msgsizes, int *, sizeof(int) * count);
 		    xalloca(msgcodes, int *, sizeof(int) * count);
-- 
cgit v1.2.3