Shrouding fix.

[~andy/fetchmail] / imap.c

diff --git a/imap.c b/imap.c
index cf8d001fc51faafee432a132a4e64886afe376c2..c9792072d6ce5acc1c182a7b2de74b95ead3c358 100644 (file)
--- a/imap.c
+++ b/imap.c
@@ -11,6 +11,7 @@
 #include  <ctype.h>
 #if defined(STDC_HEADERS)
 #include  <stdlib.h>
+#include  <limits.h>
 #endif
 #include  "fetchmail.h"
 #include  "socket.h"
@@ -59,6 +60,19 @@ static int imap_ok(int sock, char *argbuf)
        else if (strstr(buf, "EXISTS"))
        {
            count = atoi(buf+2);
+           /*
+            * Don't trust the message count passed by the server.
+            * Without this check, it might be possible to do a
+            * DNS-spoofing attack that would pass back a ridiculous 
+            * count, and allocate a malloc area that would overlap
+            * a portion of the stack.
+            */
+           if (count > INT_MAX/sizeof(int))
+           {
+               report(stderr, "bogus message count!");
+               return(PS_PROTOCOL);
+           }
+
            /*
             * Nasty kluge to handle RFC2177 IDLE.  If we know we're idling
             * we can't wait for the tag matching the IDLE; we have to tell the
@@ -425,7 +439,7 @@ static int imap_getauth(int sock, struct query *ctl, char *greeting)
        imap_canonicalize(remotename, ctl->remotename, NAMELEN);
        imap_canonicalize(password, ctl->password, PASSWORDLEN);
 
-       strcpy(shroud, ctl->password);
+       strcpy(shroud, password);
        ok = gen_transact(sock, "LOGIN \"%s\" \"%s\"", remotename, password);
        shroud[0] = '\0';
        if (ok)