Auths: fix possible OOB write in external authenticator. Bug 2999

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 5fcc8ab11b52d487f31ec19370e22ec1fab198f6..eb8c3588ee5f4768c56256546ebdf73e625d1441 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -193,6 +193,9 @@ JH/38 Taint-track intermediate values from the peer in multi-stage authentation
 JH/39 Bug 3023: Fix crash induced by some combinations of zero-length strings
       and ${tr...}.  Found and diagnosed by Heiko Schlichting.
 
+JH/40 Bug 2999: Fix a possible OOB write in the external authenticator, which
+      could be triggered by externally-supplied input.  Found by Trend Micro.
+
 
 Exim version 4.96
 -----------------

diff --git a/src/src/auths/external.c b/src/src/auths/external.c
index 078aad0faa9be77d09dca6bc283808f63f0f2247..f6aa527f2e5f4270feedc9788a2032d359d1778f 100644 (file)
--- a/src/src/auths/external.c
+++ b/src/src/auths/external.c
@@ -104,7 +104,7 @@ if (expand_nmax == 0)       /* skip if rxd data */
 if (ob->server_param2)
   {
   uschar * s = expand_string(ob->server_param2);
-  auth_vars[expand_nmax] = s;
+  auth_vars[expand_nmax = 1] = s;
   expand_nstring[++expand_nmax] = s;
   expand_nlength[expand_nmax] = Ustrlen(s);
   if (ob->server_param3)