In function rpa_read_buffer
, the condition in
if (p > end)
return 0;
len = *p++;
is not strict enough
It should be
if (p >= end)
return 0;
len = *p++;
The fix from https://github.com/dovecot/core/commit/69ad3c902ea4bbf9f21ab1857d8923f975dc6145 is not enough
The ASAN stack trace is
=================================================================
==27414==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6040000006be at pc 0x00010fd2dd33 bp 0x7ffedff66f00 sp 0x7ffedff66ef8
READ of size 1 at 0x6040000006be thread T0
#0 0x10fd2dd32 in rpa_read_buffer mech-rpa.c:226
#1 0x10fd2d757 in rpa_parse_token3 mech-rpa.c:283
#2 0x10fd2c44b in mech_rpa_auth_phase2 mech-rpa.c:504
#3 0x10fc99d79 in LLVMFuzzerTestOneInput fuzz-auth-server.c:169
Steps to reproduce should be
(echo 'AUTH RPA'; echo -ne
'`\x11\x06\x09`\x86H\x01\x86\xf8s\x01\x01\x01\x00\x04\x00\x00\x01';
echo -ne '`\x11\x06\x09`\x86H\x01\x86\xf8s\x01\x01\x00\x04A@A\x00') | nc 127.0.0.1 110
This overread could cause a crash, but as an off by one, it is difficult