Attachment #26347 for bug #63201

View | Details | Raw Unified | Return to bug 63201
Collapse All | Expand All

Lines 286-291 Link Here

(-)imapd.c.orig (-7 / +22 lines)
286	if (!ulen) ulen = strlen(user);	286	if (!ulen) ulen = strlen(user);
287		287
288	if (config_getswitch(IMAPOPT_IMAPMAGICPLUS)) {	288	if (config_getswitch(IMAPOPT_IMAPMAGICPLUS)) {
		289	if (ulen > MAX_MAILBOX_NAME) {
		290	sasl_seterror(conn, 0, "buffer overflow while canonicalizing");
		291	return SASL_BUFOVER;
		292	}
		293
289	/* make a working copy of the auth[z]id */	294	/* make a working copy of the auth[z]id */
290	memcpy(userbuf, user, ulen);	295	memcpy(userbuf, user, ulen);
291	userbuf[ulen] = '\0';	296	userbuf[ulen] = '\0';
Lines 345-350 Link Here
345		350
346	/* make a working copy of the authzid */	351	/* make a working copy of the authzid */
347	if (!rlen) rlen = strlen(requested_user);	352	if (!rlen) rlen = strlen(requested_user);
		353	if (rlen > MAX_MAILBOX_NAME) {
		354	sasl_seterror(conn, 0, "buffer overflow while proxying");
		355	return SASL_BUFOVER;
		356	}
		357
348	memcpy(userbuf, requested_user, rlen);	358	memcpy(userbuf, requested_user, rlen);
349	userbuf[rlen] = '\0';	359	userbuf[rlen] = '\0';
350	requested_user = userbuf;	360	requested_user = userbuf;
Lines 2349-2358 Link Here
2349	while (!r && c == ' ') {	2359	while (!r && c == ' ') {
2350	/* Grow the stage array, if necessary */	2360	/* Grow the stage array, if necessary */
2351	if (numstage == numalloc) {	2361	if (numstage == numalloc) {
		2362	if (numalloc > INT_MAX/(2sizeof(struct appendstage )))
		2363	goto done;
2352	numalloc *= 2;	2364	numalloc *= 2;
2353	stage = xrealloc(stage, numalloc * sizeof(struct appendstage *));	2365	stage = xrealloc(stage, numalloc * sizeof(struct appendstage *));
2354	}	2366	}
2355	curstage = stage[numstage++] = xzmalloc(sizeof(struct appendstage));	2367	curstage = stage[numstage] = xzmalloc(sizeof(struct appendstage));
		2368	++numstage;
2356		2369
2357	/* Parse flags */	2370	/* Parse flags */
2358	c = getword(imapd_in, &arg);	2371	c = getword(imapd_in, &arg);
Lines 2372-2378 Link Here
2372	(char *) xrealloc((char ) curstage->flag,	2385	(char *) xrealloc((char ) curstage->flag,
2373	curstage->flagalloc * sizeof(char *));	2386	curstage->flagalloc * sizeof(char *));
2374	}	2387	}
2375	curstage->flag[curstage->nflags++] = xstrdup(arg.s);	2388	curstage->flag[curstage->nflags] = xstrdup(arg.s);
		2389	++curstage->nflags;
2376	} while (c == ' ');	2390	} while (c == ' ');
2377	if (c != ')') {	2391	if (c != ')') {
2378	parseerr =	2392	parseerr =
Lines 2770-2779 Link Here
2770	int binsize = 0;	2784	int binsize = 0;
2771		2785
2772	p = section = fetchatt.s + 7;	2786	p = section = fetchatt.s + 7;
2773	if (*p == 'P') {	2787	if (!strncmp(p, "PEEK[", 5)) {
2774	p = section += 5;	2788	p = section += 5;
2775	}	2789	}
2776	else if (*p == 'S') {	2790	else if (!strncmp(p, "SIZE[", 5)) {
2777	p = section += 5;	2791	p = section += 5;
2778	binsize = 1;	2792	binsize = 1;
2779	}	2793	}
Lines 2813-2819 Link Here
2813	else if (!strncmp(fetchatt.s, "BODY[", 5) \|\|	2827	else if (!strncmp(fetchatt.s, "BODY[", 5) \|\|
2814	!strncmp(fetchatt.s, "BODY.PEEK[", 10)) {	2828	!strncmp(fetchatt.s, "BODY.PEEK[", 10)) {
2815	p = section = fetchatt.s + 5;	2829	p = section = fetchatt.s + 5;
2816	if (*p == 'P') {	2830	if (!strncmp(p, "PEEK[", 5)) {
2817	p = section += 5;	2831	p = section += 5;
2818	}	2832	}
2819	else {	2833	else {
Lines 3154-3160 Link Here
3154	else if (!strncmp(data, "body[", 5) \|\|	3168	else if (!strncmp(data, "body[", 5) \|\|
3155	!strncmp(data, "body.peek[", 10)) {	3169	!strncmp(data, "body.peek[", 10)) {
3156	p = section = data + 5;	3170	p = section = data + 5;
3157	if (*p == 'p') {	3171	if (!strncmp(p, "peek[", 5)) {
3158	p = section += 5;	3172	p = section += 5;
3159	}	3173	}
3160	else {	3174	else {
Lines 3314-3320 Link Here
3314	flag = (char *)xrealloc((char )flag,	3328	flag = (char *)xrealloc((char )flag,
3315	flagallocsizeof(char ));	3329	flagallocsizeof(char ));
3316	}	3330	}
3317	flag[nflags++] = xstrdup(flagname.s);	3331	flag[nflags] = xstrdup(flagname.s);
		3332	++nflags;
3318	}	3333	}
3319		3334
3320	flagsparsed++;	3335	flagsparsed++;

Lines 1032-1037 Link Here

(-)proxyd.c.orig (+9 lines)
1032		1032
1033	if (config_getswitch(IMAPOPT_IMAPMAGICPLUS)) {	1033	if (config_getswitch(IMAPOPT_IMAPMAGICPLUS)) {
1034	/* make a working copy of the auth[z]id */	1034	/* make a working copy of the auth[z]id */
		1035	if (ulen > MAX_MAILBOX_NAME) {
		1036	sasl_seterror(conn, 0, "buffer overflow while canonicalizing");
		1037	return SASL_BUFOVER;
		1038	}
1035	memcpy(userbuf, user, ulen);	1039	memcpy(userbuf, user, ulen);
1036	userbuf[ulen] = '\0';	1040	userbuf[ulen] = '\0';
1037	user = userbuf;	1041	user = userbuf;
Lines 1090-1095 Link Here
1090		1094
1091	/* make a working copy of the authzid */	1095	/* make a working copy of the authzid */
1092	if (!rlen) rlen = strlen(requested_user);	1096	if (!rlen) rlen = strlen(requested_user);
		1097
		1098	if (rlen > MAX_MAILBOX_NAME) {
		1099	sasl_seterror(conn, 0, "buffer overflow while proxying");
		1100	return SASL_BUFOVER;
		1101	}
1093	memcpy(userbuf, requested_user, rlen);	1102	memcpy(userbuf, requested_user, rlen);
1094	userbuf[rlen] = '\0';	1103	userbuf[rlen] = '\0';
1095	requested_user = userbuf;	1104	requested_user = userbuf;




	return SASL_BADAUTH;
    }
    *out_ulen = strlen(canonuser);
    if (*out_ulen >= out_max) {
	sasl_seterror(conn, 0, "buffer overflow while canonicalizing");
	return SASL_BUFOVER;
    }
    
    strcpy(out, canonuser);

    return SASL_OK;
}

Return to bug 63201

Lines 427-438 Link Here

(-)global.c.orig (-2 / +2 lines)
427	return SASL_BADAUTH;	427	return SASL_BADAUTH;
428	}	428	}
429	*out_ulen = strlen(canonuser);	429	*out_ulen = strlen(canonuser);
430	if (*out_ulen > out_max) {	430	if (*out_ulen >= out_max) {
431	sasl_seterror(conn, 0, "buffer overflow while canonicalizing");	431	sasl_seterror(conn, 0, "buffer overflow while canonicalizing");
432	return SASL_BUFOVER;	432	return SASL_BUFOVER;
433	}	433	}
434		434
435	strncpy(out, canonuser, out_max);	435	strcpy(out, canonuser);
436		436
437	return SASL_OK;	437	return SASL_OK;
438	}	438	}