Mercurial > dovecot > core-2.2
changeset 21197:3da1e36b61af
auth: Fix auth-policy crash when username is NULL
If SASL request is invalid, or incomplete, and username
is left NULL, handle it gracefully by adding just
NUL byte in auth policy digest for username.
author | Aki Tuomi <aki.tuomi@dovecot.fi> |
---|---|
date | Wed, 23 Nov 2016 13:16:19 +0200 |
parents | 4a0841b9fcc4 |
children | bb081fa224e0 |
files | src/auth/auth-policy.c |
diffstat | 1 files changed, 4 insertions(+), 1 deletions(-) [+] |
line wrap: on
line diff
--- a/src/auth/auth-policy.c Tue Nov 22 10:21:24 2016 -0500 +++ b/src/auth/auth-policy.c Wed Nov 23 13:16:19 2016 +0200 @@ -442,7 +442,10 @@ context->set->policy_hash_nonce, strlen(context->set->policy_hash_nonce)); /* use +1 to make sure \0 gets included */ - digest->loop(ctx, context->request->user, strlen(context->request->user) + 1); + if (context->request->user == NULL) + digest->loop(ctx, "\0", 1); + else + digest->loop(ctx, context->request->user, strlen(context->request->user) + 1); if (password != NULL) digest->loop(ctx, password, strlen(password)); ptr = (unsigned char*)str_c_modifiable(buffer);