diff options
Diffstat (limited to 'main/dovecot/CVE-2020-12673.patch')
-rw-r--r-- | main/dovecot/CVE-2020-12673.patch | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/main/dovecot/CVE-2020-12673.patch b/main/dovecot/CVE-2020-12673.patch new file mode 100644 index 00000000000..9dd26e0350f --- /dev/null +++ b/main/dovecot/CVE-2020-12673.patch @@ -0,0 +1,31 @@ +From fb246611e62ad8c5a95b0ca180a63f17aa34b0d8 Mon Sep 17 00:00:00 2001 +From: Aki Tuomi <aki.tuomi@open-xchange.com> +Date: Mon, 18 May 2020 12:33:39 +0300 +Subject: [PATCH] lib-ntlm: Check buffer length on responses + +Add missing check for buffer length. + +If this is not checked, it is possible to send message which +causes read past buffer bug. + +Broken in c7480644202e5451fbed448508ea29a25cffc99c +--- + src/lib-ntlm/ntlm-message.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c +index 160b9f918c..a29413b47e 100644 +--- a/src/lib-ntlm/ntlm-message.c ++++ b/src/lib-ntlm/ntlm-message.c +@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer, + if (length == 0 && space == 0) + return TRUE; + ++ if (length > data_size) { ++ *error = "buffer length out of bounds"; ++ return FALSE; ++ } ++ + if (offset >= data_size) { + *error = "buffer offset out of bounds"; + return FALSE; |