dovecot-2.2: lib: fix md4/md5 buffer read overrun
dovecot at dovecot.org
dovecot at dovecot.org
Wed May 7 16:37:41 UTC 2014
details: http://hg.dovecot.org/dovecot-2.2/rev/fc627348087e
changeset: 17336:fc627348087e
user: Phil Carmody <phil at dovecot.fi>
date: Wed May 07 18:39:23 2014 +0300
description:
lib: fix md4/md5 buffer read overrun
uint_fast32_t may be 64 bits and read too many bytes at the end of the buffer.
This didn't actually break anything as long as there was 32 bits of readable
memory past the buffer.
diffstat:
src/lib/md4.c | 7 +++++--
src/lib/md5.c | 2 +-
2 files changed, 6 insertions(+), 3 deletions(-)
diffs (29 lines):
diff -r 4b67da0b86a3 -r fc627348087e src/lib/md4.c
--- a/src/lib/md4.c Wed May 07 19:34:42 2014 +0300
+++ b/src/lib/md4.c Wed May 07 18:39:23 2014 +0300
@@ -43,8 +43,11 @@
* doesn't work.
*/
#if defined(__i386__) || defined(__x86_64__) || defined(__vax__)
-#define SET(n) \
- (*(const uint_fast32_t *)&ptr[(n) * 4])
+/* uint_fast32_t might be 64 bit, and thus may read 4 more bytes
+ * beyond the end of the buffer. So only read precisely 32 bits
+ */
+#define SET(n) \
+ (*(const uint32_t *)&ptr[(n) * 4])
#define GET(n) \
SET(n)
#else
diff -r 4b67da0b86a3 -r fc627348087e src/lib/md5.c
--- a/src/lib/md5.c Wed May 07 19:34:42 2014 +0300
+++ b/src/lib/md5.c Wed May 07 18:39:23 2014 +0300
@@ -48,7 +48,7 @@
*/
#if defined(__i386__) || defined(__x86_64__) || defined(__vax__)
#define SET(n) \
- (*(const uint_fast32_t *)&ptr[(n) * 4])
+ (*(const uint32_t *)&ptr[(n) * 4])
#define GET(n) \
SET(n)
#else
More information about the dovecot-cvs
mailing list