diff options
Diffstat (limited to 'mail/fetchmail/files/patch-CVE-2012-3482')
-rw-r--r-- | mail/fetchmail/files/patch-CVE-2012-3482 | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/mail/fetchmail/files/patch-CVE-2012-3482 b/mail/fetchmail/files/patch-CVE-2012-3482 new file mode 100644 index 000000000000..64e4588effe1 --- /dev/null +++ b/mail/fetchmail/files/patch-CVE-2012-3482 @@ -0,0 +1,53 @@ +diff --git a/ntlm.h b/ntlm.h +index 1469633..ad83520 100644 +--- a/ntlm.h ++++ b/ntlm.h +@@ -32,8 +32,8 @@ uint32 msgType; + tSmbStrHeader uDomain; + uint32 flags; + uint8 challengeData[8]; +-uint8 reserved[8]; +-tSmbStrHeader emptyString; ++uint32 context[2]; ++tSmbStrHeader targetInfo; + uint8 buffer[1024]; + uint32 bufIndex; + }tSmbNtlmAuthChallenge; +diff --git a/ntlmsubr.c b/ntlmsubr.c +index f9d2733..63cbed8 100644 +--- a/ntlmsubr.c ++++ b/ntlmsubr.c +@@ -55,7 +55,32 @@ int ntlm_helper(int sock, struct query *ctl, const char *proto) + if ((result = gen_recv(sock, msgbuf, sizeof msgbuf))) + goto cancelfail; + +- (void)from64tobits (&challenge, msgbuf, sizeof(challenge)); ++ if ((result = from64tobits (&challenge, msgbuf, sizeof(challenge))) < 0 ++ || result < ((void *)&challenge.context - (void *)&challenge)) ++ { ++ report (stderr, GT_("could not decode BASE64 challenge\n")); ++ /* We do not goto cancelfail; the server has already sent the ++ * tagged reply, so the protocol exchange has ended, no need ++ * for us to send the asterisk. */ ++ return PS_AUTHFAIL; ++ } ++ ++ /* validate challenge: ++ * - ident ++ * - message type ++ * - that offset points into buffer ++ * - that offset + length does not wrap ++ * - that offset + length is not bigger than buffer */ ++ if (0 != memcmp("NTLMSSP", challenge.ident, 8) ++ || challenge.msgType != 2 ++ || challenge.uDomain.offset > result ++ || challenge.uDomain.offset + challenge.uDomain.len < challenge.uDomain.offset ++ || challenge.uDomain.offset + challenge.uDomain.len > result) ++ { ++ report (stderr, GT_("NTLM challenge contains invalid data.\n")); ++ result = PS_AUTHFAIL; ++ goto cancelfail; ++ } + + if (outlevel >= O_DEBUG) + dumpSmbNtlmAuthChallenge(stdout, &challenge); |