INN commit: trunk (3 files)
INN Commit
rra at isc.org
Sat Jun 20 13:09:15 UTC 2009
Date: Saturday, June 20, 2009 @ 06:09:14
Author: iulius
Revision: 8522
* Fixed a segfault in imap_connection which can occur when SASL
is used (overflow in strlcpy).
* Owing to the US-CERT vulnerability note VU#238019, Cyrus SASL library
has slightly changed. imap_connection and nnrpd now handle
that change. Otherwise, some answers are too long to be properly
computed during SASL exchanges (because of a new null character
added by sasl_encode64).
Modified:
trunk/doc/pod/news.pod
trunk/innfeed/imap_connection.c
trunk/nnrpd/sasl.c
---------------------------+
doc/pod/news.pod | 19 ++++++++--
innfeed/imap_connection.c | 81 ++++++++++++++++++++++++++------------------
nnrpd/sasl.c | 9 +++-
3 files changed, 70 insertions(+), 39 deletions(-)
Modified: doc/pod/news.pod
===================================================================
--- doc/pod/news.pod 2009-06-20 12:29:44 UTC (rev 8521)
+++ doc/pod/news.pod 2009-06-20 13:09:14 UTC (rev 8522)
@@ -4,12 +4,25 @@
=item *
-Fixed a segfault when retrieving via HDR/XHDR/XPAT the contents of an extra
-overview field absent from the headers of an article. The NEWNEWS command
-was also affected on very rare cases. Thanks to Tim Woodall for the bug report.
+Fixed a segfault in B<imap_connection> which could occur when SASL
+was used.
=item *
+Owing to the US-CERT vulnerability note VU#238019, Cyrus SASL library
+has slightly changed. B<imap_connection> and B<nnrpd> now handle
+that change. Otherwise, some answers are too long to be properly
+computed during SASL exchanges.
+
+=item *
+
+Fixed a memory allocation problem which caused B<nnrpd> to die when
+retrieving via HDR/XHDR/XPAT the contents of an extra overview field
+absent from the headers of an article. The NEWNEWS command was also
+affected on very rare cases. Thanks to Tim Woodall for the bug report.
+
+=item *
+
HDR/XHDR/XPAT answers are now robust when the overview database is
inconsistent. When the overview schema was modified without the overview
database being rebuilt, wrong results could be returned for extra fields
Modified: innfeed/imap_connection.c
===================================================================
--- innfeed/imap_connection.c 2009-06-20 12:29:44 UTC (rev 8521)
+++ innfeed/imap_connection.c 2009-06-20 13:09:14 UTC (rev 8522)
@@ -2153,13 +2153,18 @@
/* empty initial client response */
p = concat("AUTH ", mechusing, " =\r\n", (char *) 0);
} else {
- /* initial client response - convert to base64 */
- inbase64 = xmalloc(outlen*2+10);
+ /* Initial client response - convert to base64.
+ * 2n+7 bytes are enough to contain the result of the base64
+ * encoding of a string whose length is n bytes.
+ * In sasl_encode64() calls, the fourth argument is the length
+ * of the third including the null terminator (thus 2n+8 bytes). */
+ inbase64 = xmalloc(outlen*2 + 8);
- saslresult = sasl_encode64(out, outlen,
- inbase64, outlen*2+10,
+ saslresult = sasl_encode64(out, outlen,
+ inbase64, outlen*2 + 8,
(unsigned *) &inbase64len);
- if (saslresult != SASL_OK) return RET_FAIL;
+ if (saslresult != SASL_OK)
+ return RET_FAIL;
p = concat("AUTH ", mechusing, " ", inbase64, "\r\n", (char *) 0);
free(inbase64);
}
@@ -2420,21 +2425,26 @@
cxn->imap_state = IMAP_CONNECTED_NOTAUTH;
return RET_FAIL;
}
+ /* Convert to base64.
+ * 2n+7 bytes are enough to contain the result of the base64
+ * encoding of a string whose length is n bytes.
+ * In sasl_encode64() calls, the fourth argument is the length
+ * of the third including the null terminator (thus 2n+8 bytes).
+ * And CRLF takes the last two bytes (thus 2n+10 bytes). */
+ inbase64 = xmalloc(outlen*2 + 10);
- inbase64 = xmalloc(outlen * 2 + 10);
-
- /* convert to base64 */
saslresult = sasl_encode64(out, outlen,
- inbase64, outlen*2, (unsigned *) &inbase64len);
+ inbase64, outlen*2 + 8, (unsigned *) &inbase64len);
- if (saslresult != SASL_OK) return RET_FAIL;
+ if (saslresult != SASL_OK)
+ return RET_FAIL;
- /* append endline */
- strlcpy(inbase64 + inbase64len, "\r\n", outlen * 2 + 10 - inbase64len);
- inbase64len+=2;
+ /* Append endline. */
+ strlcpy(inbase64 + inbase64len, "\r\n", outlen*2 + 10 - inbase64len);
+ inbase64len += 2;
- /* send to server */
- result = WriteToWire_imapstr(cxn,inbase64, inbase64len);
+ /* Send to server. */
+ result = WriteToWire_imapstr(cxn, inbase64, inbase64len);
cxn->imap_state = IMAP_WRITING_STEPAUTH;
@@ -3386,29 +3396,34 @@
return;
}
- /* convert to base64 */
- inbase64 = xmalloc(outlen*2+10);
+ /* Convert to base64.
+ * 2n+7 bytes are enough to contain the result of the base64
+ * encoding of a string whose length is n bytes.
+ * In sasl_encode64() calls, the fourth argument is the length
+ * of the third including the null terminator (thus 2n+8 bytes).
+ * And CRLF takes the last two bytes (thus 2n+10 bytes). */
+ inbase64 = xmalloc(outlen*2 + 10);
- saslresult = sasl_encode64(out, outlen,
- inbase64, outlen*2+10,
- (unsigned *) &inbase64len);
-
- if (saslresult != SASL_OK)
- {
- d_printf(0,"%s:%d:LMTP sasl_encode64(): %s\n",
- hostPeerName (cxn->myHost),cxn->ident,
- sasl_errstring(saslresult,NULL,NULL));
+ saslresult = sasl_encode64(out, outlen,
+ inbase64, outlen*2 + 8,
+ (unsigned *) &inbase64len);
- lmtp_Disconnect(cxn);
- return;
- }
+ if (saslresult != SASL_OK) {
+ d_printf(0,"%s:%d:LMTP sasl_encode64(): %s\n",
+ hostPeerName(cxn->myHost), cxn->ident,
+ sasl_errstring(saslresult, NULL, NULL));
- /* add an endline */
- strlcpy(inbase64 + inbase64len, "\r\n", outlen * 2 + 10);
+ lmtp_Disconnect(cxn);
+ return;
+ }
- /* send to server */
- result = WriteToWire_lmtpstr(cxn,inbase64, inbase64len+2);
+ /* Add an endline. */
+ strlcpy(inbase64 + inbase64len, "\r\n", outlen*2 + 10 - inbase64len);
+ inbase64len += 2;
+ /* Send to server. */
+ result = WriteToWire_lmtpstr(cxn, inbase64, inbase64len);
+
if (result != RET_OK)
{
d_printf(0,"%s:%d:LMTP WriteToWire() failure\n",
Modified: nnrpd/sasl.c
===================================================================
--- nnrpd/sasl.c 2009-06-20 12:29:44 UTC (rev 8521)
+++ nnrpd/sasl.c 2009-06-20 13:09:14 UTC (rev 8522)
@@ -32,7 +32,8 @@
{ SASL_CB_LIST_END, NULL, NULL }
};
-#define BASE64_BUF_SIZE 21848 /* Per RFC 2222bis: ((16K / 3) + 1) * 4. */
+#define BASE64_BUF_SIZE 21848 /* Per RFC 4422: (floor(n/3) + 1) * 4
+ where n = 16 kB = 16384 bytes. */
/*
@@ -189,9 +190,11 @@
while (r == SASL_CONTINUE || (r == SASL_OK && serveroutlen != 0)) {
if (serveroutlen != 0) {
- /* Encode the server challenge. */
+ /* Encode the server challenge.
+ * In sasl_encode64() calls, the fourth argument is the length
+ * of the third including the null terminator. */
r1 = sasl_encode64(serverout, serveroutlen,
- base64, BASE64_BUF_SIZE, NULL);
+ base64, BASE64_BUF_SIZE+1, NULL);
if (r1 != SASL_OK)
r = r1;
}
More information about the inn-committers
mailing list