aboutsummaryrefslogtreecommitdiffstats
path: root/main/dovecot/CVE-2020-12673.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/dovecot/CVE-2020-12673.patch')
-rw-r--r--main/dovecot/CVE-2020-12673.patch31
1 files changed, 31 insertions, 0 deletions
diff --git a/main/dovecot/CVE-2020-12673.patch b/main/dovecot/CVE-2020-12673.patch
new file mode 100644
index 00000000000..9dd26e0350f
--- /dev/null
+++ b/main/dovecot/CVE-2020-12673.patch
@@ -0,0 +1,31 @@
+From fb246611e62ad8c5a95b0ca180a63f17aa34b0d8 Mon Sep 17 00:00:00 2001
+From: Aki Tuomi <aki.tuomi@open-xchange.com>
+Date: Mon, 18 May 2020 12:33:39 +0300
+Subject: [PATCH] lib-ntlm: Check buffer length on responses
+
+Add missing check for buffer length.
+
+If this is not checked, it is possible to send message which
+causes read past buffer bug.
+
+Broken in c7480644202e5451fbed448508ea29a25cffc99c
+---
+ src/lib-ntlm/ntlm-message.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c
+index 160b9f918c..a29413b47e 100644
+--- a/src/lib-ntlm/ntlm-message.c
++++ b/src/lib-ntlm/ntlm-message.c
+@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,
+ if (length == 0 && space == 0)
+ return TRUE;
+
++ if (length > data_size) {
++ *error = "buffer length out of bounds";
++ return FALSE;
++ }
++
+ if (offset >= data_size) {
+ *error = "buffer offset out of bounds";
+ return FALSE;