*out = '\0';
}
-int from64tobits(char *out, const char *in)
+int from64tobits(char *out, const char *in, int maxlen)
/* base 64 to raw bytes in quasi-big-endian order, returning count of bytes */
{
int len = 0;
if (digit4 != '=' && DECODE64(digit4) == BAD)
return(-1);
in += 4;
- *out++ = (DECODE64(digit1) << 2) | (DECODE64(digit2) >> 4);
++len;
+ if (len && len >= maxlen) /* prevent buffer overflow */
+ return(-1);
+ *out++ = (DECODE64(digit1) << 2) | (DECODE64(digit2) >> 4);
if (digit3 != '=')
{
*out++ = ((DECODE64(digit2) << 4) & 0xf0) | (DECODE64(digit3) >> 2);
respdata = buf1;
if (strip && strncmp(buf1, strip, strlen(strip)) == 0)
respdata += strlen(strip);
- len = from64tobits (msg_id, respdata);
+ len = from64tobits (msg_id, respdata, sizeof(msg_id));
if (len < 0) {
report (stderr, GT_("could not decode BASE64 challenge\n"));
/* base64.c */
void to64frombits(unsigned char *, const unsigned char *, int);
-int from64tobits(char *, const char *);
+int from64tobits(char *, const char *, int len);
/* unmime.c */
/* Bit-mask returned by MimeBodyType */
gss_release_name(&min_stat, &target_name);
return result;
}
- request_buf.length = from64tobits(buf2, buf1 + 2);
+ request_buf.length = from64tobits(buf2, buf1 + 2, sizeof(buf2));
request_buf.value = buf2;
sec_token = &request_buf;
}
if (result = gen_recv(sock, buf1, sizeof buf1))
return result;
- request_buf.length = from64tobits(buf2, buf1 + 2);
+ request_buf.length = from64tobits(buf2, buf1 + 2, sizeof(buf2));
request_buf.value = buf2;
maj_stat = gss_unwrap(&min_stat, context,
return result;
}
- len = from64tobits(challenge1.cstr, buf1);
+ len = from64tobits(challenge1.cstr, buf1, sizeof(challenge1.cstr));
if (len < 0) {
report(stderr, GT_("could not decode initial BASE64 challenge\n"));
return PS_AUTHFAIL;
* process is complete.
*/
- len = from64tobits(buf2, buf1);
+ len = from64tobits(buf2, buf1, sizeof(buf2x));
if (len < 0) {
report(stderr, GT_("could not decode BASE64 ready response\n"));
return PS_AUTHFAIL;
/* Note: Decoding is done "in-situ", i.e. without using an
* additional buffer for temp. storage. This is possible, since the
* decoded string will always be shorter than the encoded string,
- * due to the en- coding scheme.
+ * due to the encoding scheme.
*/
int state = S_COPY_PLAIN;
int decoded_count;
delimsave = *p; *p = '\r';
- decoded_count = from64tobits(p_out, p_in);
+ decoded_count = from64tobits(p_out, p_in, 0);
*p = delimsave;
if (decoded_count > 0)
p_out += decoded_count;