web/SOURCES/dovecot-2.3.8-CVE_2020_1267...

From 1c6405d3026e5ceae3d214d63945bba85251af4c Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@open-xchange.com>
Date: Mon, 18 May 2020 12:33:39 +0300
Subject: [PATCH 2/3] lib-ntlm: Check buffer length on responses

Add missing check for buffer length.

If this is not checked, it is possible to send message which
causes read past buffer bug.

Broken in c7480644202e5451fbed448508ea29a25cffc99c
---
 src/lib-ntlm/ntlm-message.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c
index 160b9f918c..a29413b47e 100644
--- a/src/lib-ntlm/ntlm-message.c
+++ b/src/lib-ntlm/ntlm-message.c
@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,
 	if (length == 0 && space == 0)
 		return 1;
 
+	if (length > data_size) {
+		*error = "buffer length out of bounds";
+		return 0;
+	}
+
 	if (offset >= data_size) {
 		*error = "buffer offset out of bounds";
 		return 0;
-- 
2.11.0
dovecot package update Signed-off-by: webbuilder_pel7ppc64lebuilder0 <webbuilder@powerel.org> 3 years ago			`From 1c6405d3026e5ceae3d214d63945bba85251af4c Mon Sep 17 00:00:00 2001`
			`From: Aki Tuomi <aki.tuomi@open-xchange.com>`
			`Date: Mon, 18 May 2020 12:33:39 +0300`
			`Subject: [PATCH 2/3] lib-ntlm: Check buffer length on responses`

			`Add missing check for buffer length.`

			`If this is not checked, it is possible to send message which`
			`causes read past buffer bug.`

			`Broken in c7480644202e5451fbed448508ea29a25cffc99c`
			`---`
			`src/lib-ntlm/ntlm-message.c \| 5 +++++`
			`1 file changed, 5 insertions(+)`

			`diff --git a/src/lib-ntlm/ntlm-message.c b/src/lib-ntlm/ntlm-message.c`
			`index 160b9f918c..a29413b47e 100644`
			`--- a/src/lib-ntlm/ntlm-message.c`
			`+++ b/src/lib-ntlm/ntlm-message.c`
			`@@ -184,6 +184,11 @@ static bool ntlmssp_check_buffer(const struct ntlmssp_buffer *buffer,`
			`if (length == 0 && space == 0)`
			`return 1;`

			`+ if (length > data_size) {`
			`+ *error = "buffer length out of bounds";`
			`+ return 0;`
			`+ }`
			`+`
			`if (offset >= data_size) {`
			`*error = "buffer offset out of bounds";`
			`return 0;`
			`--`
			`2.11.0`