Open-Xchange: Buffer overread off by one in `rpa_read_buffer`, incomplete fix for CVE-2020-12674

In function rpa_read_buffer, the condition in

	if (p > end)
		return 0;

	len = *p++;

is not strict enough

It should be

	if (p >= end)
		return 0;

	len = *p++;

The fix from https://github.com/dovecot/core/commit/69ad3c902ea4bbf9f21ab1857d8923f975dc6145 is not enough

The ASAN stack trace is

=================================================================
==27414==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000006be at pc 0x00010fd2dd33 bp 0x7ffedff66f00 sp 0x7ffedff66ef8
READ of size 1 at 0x6040000006be thread T0
    #0 0x10fd2dd32 in rpa_read_buffer mech-rpa.c:226
    #1 0x10fd2d757 in rpa_parse_token3 mech-rpa.c:283
    #2 0x10fd2c44b in mech_rpa_auth_phase2 mech-rpa.c:504
    #3 0x10fc99d79 in LLVMFuzzerTestOneInput fuzz-auth-server.c:169

Steps to reproduce should be

(echo 'AUTH RPA'; echo -ne
'`\x11\x06\x09`\x86H\x01\x86\xf8s\x01\x01\x01\x00\x04\x00\x00\x01';
echo -ne '`\x11\x06\x09`\x86H\x01\x86\xf8s\x01\x01\x00\x04A@A\x00')  | nc 127.0.0.1 110

Impact

This overread could cause a crash, but as an off by one, it is difficult