diff options
| author | Denis Vlasenko <vda.linux@googlemail.com> | 2009-03-12 15:35:26 +0000 |
|---|---|---|
| committer | Denis Vlasenko <vda.linux@googlemail.com> | 2009-03-12 15:35:26 +0000 |
| commit | 4abaec50a260f7d1d704ab33d54e0148e4f8626e (patch) | |
| tree | 3d2e3a78088ba827ca22e07019c36fde4ffc4579 /mailutils/popmaildir.c | |
| parent | dec37b3232d3dce3fb3ad024845f46d882558777 (diff) | |
| download | busybox-w32-4abaec50a260f7d1d704ab33d54e0148e4f8626e.tar.gz busybox-w32-4abaec50a260f7d1d704ab33d54e0148e4f8626e.tar.bz2 busybox-w32-4abaec50a260f7d1d704ab33d54e0148e4f8626e.zip | |
popmaildir: fix several grave bugs with using memory past end of malloc block
Diffstat (limited to 'mailutils/popmaildir.c')
| -rw-r--r-- | mailutils/popmaildir.c | 52 |
1 files changed, 25 insertions, 27 deletions
diff --git a/mailutils/popmaildir.c b/mailutils/popmaildir.c index d2cc7c0b9..1a72b87c5 100644 --- a/mailutils/popmaildir.c +++ b/mailutils/popmaildir.c | |||
| @@ -16,12 +16,14 @@ static void pop3_checkr(const char *fmt, const char *param, char **ret) | |||
| 16 | { | 16 | { |
| 17 | const char *msg = command(fmt, param); | 17 | const char *msg = command(fmt, param); |
| 18 | char *answer = xmalloc_fgetline(stdin); | 18 | char *answer = xmalloc_fgetline(stdin); |
| 19 | if (answer && '+' == *answer) { | 19 | if (answer && '+' == answer[0]) { |
| 20 | if (timeout) | 20 | if (timeout) |
| 21 | alarm(0); | 21 | alarm(0); |
| 22 | if (ret) | 22 | if (ret) { |
| 23 | *ret = answer+4; // skip "+OK " | 23 | // skip "+OK " |
| 24 | else if (ENABLE_FEATURE_CLEAN_UP) | 24 | memmove(answer, answer + 4, strlen(answer) - 4); |
| 25 | *ret = answer; | ||
| 26 | } else | ||
| 25 | free(answer); | 27 | free(answer); |
| 26 | return; | 28 | return; |
| 27 | } | 29 | } |
| @@ -94,31 +96,28 @@ int popmaildir_main(int argc UNUSED_PARAM, char **argv) | |||
| 94 | 96 | ||
| 95 | // authenticate (if no -s given) | 97 | // authenticate (if no -s given) |
| 96 | if (!(opts & OPT_s)) { | 98 | if (!(opts & OPT_s)) { |
| 97 | // server supports APOP and we want it? -> use it | 99 | // server supports APOP and we want it? |
| 98 | if ('<' == *buf && (opts & OPT_a)) { | 100 | if ('<' == buf[0] && (opts & OPT_a)) { |
| 99 | md5_ctx_t md5; | 101 | union { // save a bit of stack |
| 100 | // yes! compose <stamp><password> | 102 | md5_ctx_t ctx; |
| 103 | char hex[16 * 2 + 1]; | ||
| 104 | } md5; | ||
| 105 | uint32_t res[16 / 4]; | ||
| 106 | |||
| 101 | char *s = strchr(buf, '>'); | 107 | char *s = strchr(buf, '>'); |
| 102 | if (s) | 108 | if (s) |
| 103 | strcpy(s+1, G.pass); | 109 | s[1] = '\0'; |
| 104 | s = buf; | 110 | // get md5 sum of "<stamp>password" string |
| 105 | // get md5 sum of <stamp><password> | 111 | md5_begin(&md5.ctx); |
| 106 | md5_begin(&md5); | 112 | md5_hash(buf, strlen(buf), &md5.ctx); |
| 107 | md5_hash(s, strlen(s), &md5); | 113 | md5_hash(G.pass, strlen(G.pass), &md5.ctx); |
| 108 | md5_end(s, &md5); | 114 | md5_end(res, &md5.ctx); |
| 109 | // NOTE: md5 struct contains enough space | 115 | *bin2hex(md5.hex, (char*)res, 16) = '\0'; |
| 110 | // so we reuse md5 space instead of xzalloc(16*2+1) | ||
| 111 | #define md5_hex ((uint8_t *)&md5) | ||
| 112 | // uint8_t *md5_hex = (uint8_t *)&md5; | ||
| 113 | *bin2hex((char *)md5_hex, s, 16) = '\0'; | ||
| 114 | // APOP | 116 | // APOP |
| 115 | s = xasprintf("%s %s", G.user, md5_hex); | 117 | s = xasprintf("%s %s", G.user, md5.hex); |
| 116 | #undef md5_hex | ||
| 117 | pop3_check("APOP %s", s); | 118 | pop3_check("APOP %s", s); |
| 118 | if (ENABLE_FEATURE_CLEAN_UP) { | 119 | free(s); |
| 119 | free(s); | 120 | free(buf); |
| 120 | free(buf-4); // buf is "+OK " away from malloc'ed string | ||
| 121 | } | ||
| 122 | // server ignores APOP -> use simple text authentication | 121 | // server ignores APOP -> use simple text authentication |
| 123 | } else { | 122 | } else { |
| 124 | // USER | 123 | // USER |
| @@ -141,8 +140,7 @@ int popmaildir_main(int argc UNUSED_PARAM, char **argv) | |||
| 141 | // if atoi fails to convert buf into number it returns 0 | 140 | // if atoi fails to convert buf into number it returns 0 |
| 142 | // in this case the following loop simply will not be executed | 141 | // in this case the following loop simply will not be executed |
| 143 | nmsg = atoi(buf); | 142 | nmsg = atoi(buf); |
| 144 | if (ENABLE_FEATURE_CLEAN_UP) | 143 | free(buf); |
| 145 | free(buf-4); // buf is "+OK " away from malloc'ed string | ||
| 146 | 144 | ||
| 147 | // loop through messages | 145 | // loop through messages |
| 148 | retr = (opts & OPT_T) ? xasprintf("TOP %%u %u", opt_nlines) : "RETR %u"; | 146 | retr = (opts & OPT_T) ? xasprintf("TOP %%u %u", opt_nlines) : "RETR %u"; |