From 4c3cebfa4e659fb778ca2cae0ccb3f69201609a8 Mon Sep 17 00:00:00 2001 From: Matthias Andree Date: Fri, 3 Oct 2025 13:11:59 +0200 Subject: [PATCH] Security fix: avoid NULL+1 deref on invalid AUTH reply When fetchmail receives a 334 reply from the SMTP server that does not contain the mandated blank after that response code, it will attempt reading from memory location 1, which will usually lead to a crash. The simpler fix would have been to check for four bytes "334 " instead of three bytes "334" but that would make malformed replies and those that don't match the expected reply code indistinguishable. --- smtp.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/smtp.c b/smtp.c index 9b4c9cc6..ac0f7feb 100644 --- a/smtp.c +++ b/smtp.c @@ -124,6 +124,11 @@ static void SMTP_auth(int sock, char smtp_mode, const char *username, const char } p = strchr(tmp, ' '); + if (!p) { + report(stderr, "%s: \"%s\"\n", GT_("Malformed server reply"), visbuf(tmp)); + SMTP_auth_error(sock, ""); + return; + } p++; /* (hmh) from64tobits will not NULL-terminate strings! */ if (from64tobits(b64buf, p, sizeof(b64buf) - 1) <= 0) { @@ -181,6 +186,11 @@ static void SMTP_auth(int sock, char smtp_mode, const char *username, const char } p = strchr(tmp, ' '); + if (!p) { + report(stderr, "%s: \"%s\"\n", GT_("Malformed server reply"), visbuf(tmp)); + SMTP_auth_error(sock, ""); + return; + } p++; if (from64tobits(b64buf, p, sizeof(b64buf) - 1) <= 0) { report(stderr, "\"%s\" <- %s", visbuf(tmp), GT_("Bad base64 reply from server.\n")); -- GitLab