base64 functions with SASL in INN
Russ Allbery
rra at stanford.edu
Fri Jun 19 19:03:47 UTC 2009
Julien ÉLIE <julien at trigofacile.com> writes:
> According to <https://bugzilla.redhat.com/show_bug.cgi?id=501452>, we need
> in imap_connection.c:
>
> inbase64 = xmalloc(outlen * 2 + 10);
>
> /* convert to base64 */
> saslresult = sasl_encode64(out, outlen,
> - inbase64, outlen*2, (unsigned *) &inbase64len);
> + inbase64, outlen*2 + 1, (unsigned *) &inbase64len);
>
> if (saslresult != SASL_OK) return RET_FAIL;
>
> /* append endline */
> strlcpy(inbase64 + inbase64len, "\r\n", outlen * 2 + 10 - inbase64len);
> inbase64len+=2;
>
> But I believe it should be "outlen*2 + 10" (and thus, there was
> already a bug).
It should at most be +8, since we want to have the space to append the
CRLF into the same buffer.
> Index: nnrpd/sasl.c
> ===================================================================
> --- nnrpd/sasl.c (révision 8509)
> +++ nnrpd/sasl.c (copie de travail)
> @@ -32,7 +32,8 @@
> { SASL_CB_LIST_END, NULL, NULL }
> };
>
> -#define BASE64_BUF_SIZE 21848 /* Per RFC 2222bis: ((16K / 3) + 1) * 4. */
> +#define BASE64_BUF_SIZE 21848 /* Per RFC 4422: (E(n/3) + 1) * 4
> + where n = 16 kB = 16384 bytes. */
>
>
> /*
> @@ -189,9 +190,11 @@
>
> while (r == SASL_CONTINUE || (r == SASL_OK && serveroutlen != 0)) {
> if (serveroutlen != 0) {
> - /* Encode the server challenge. */
> + /* Encode the server challenge.
> + * In sasl_encode64() calls, the fourth argument is the length
> + * of the third including the null terminator. */
> r1 = sasl_encode64(serverout, serveroutlen,
> - base64, BASE64_BUF_SIZE, NULL);
> + base64, BASE64_BUF_SIZE+1, NULL);
> if (r1 != SASL_OK)
> r = r1;
> }
This change looks wrong -- it looks like we're telling sasl_encode64
that we have a larger buffer than we actually do. That could lead it to
writing beyond the end of the buffer. I think that argument should be
whatever the buffer size really is.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
Please send questions to the list rather than mailing me directly.
<http://www.eyrie.org/~eagle/faqs/questions.html> explains why.
More information about the inn-workers
mailing list