[dovecot-cvs] dovecot/src/auth userinfo-vpopmail.c,1.3,1.4

cras at procontrol.fi cras at procontrol.fi
Mon Nov 25 15:35:55 EET 2002 

Update of /home/cvs/dovecot/src/auth
In directory danu:/tmp/cvs-serv17569

Modified Files:
	userinfo-vpopmail.c 
Log Message:
vpopmail's parse_email() is buggy, we need to zero fill the username buffer
before calling it.



Index: userinfo-vpopmail.c
===================================================================
RCS file: /home/cvs/dovecot/src/auth/userinfo-vpopmail.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -d -r1.3 -r1.4
--- userinfo-vpopmail.c	24 Nov 2002 22:25:14 -0000	1.3
+++ userinfo-vpopmail.c	25 Nov 2002 13:35:53 -0000	1.4
@@ -13,6 +13,8 @@
 #include <vpopmail.h>
 #include <vauth.h>
 
+/* #define I_DEBUG(x) i_warning x */
+
 /* Limit user and domain to 80 chars each (+1 for \0). I wouldn't recommend
    raising this limit at least much, vpopmail is full of potential buffer
    overflows. */
@@ -26,28 +28,52 @@
 	char *passdup;
 	int result;
 
+	/* vpop_user must be zero-filled or parse_email() leaves an extra
+	   character after the user name. we'll fill vpop_domain as well
+	   just to be sure... */
+	memset(vpop_user, '\0', sizeof(vpop_user));
+	memset(vpop_domain, '\0', sizeof(vpop_domain));
+
 	if (parse_email(t_strdup_noconst(user), vpop_user, vpop_domain,
-			sizeof(vpop_user)-1) < 0)
+			sizeof(vpop_user)-1) < 0) {
+		I_DEBUG(("vpopmail: parse_email(%s) failed", user));
 		return FALSE;
+	}
 
 	/* we have to get uid/gid separately, because the gid field in
 	   struct vqpasswd isn't really gid at all but just some flags... */
 	if (vget_assign(vpop_domain, NULL, 0,
-			&reply->uid, &reply->gid) == NULL)
+			&reply->uid, &reply->gid) == NULL) {
+		I_DEBUG(("vpopmail: vget_assign(%s) failed", vpop_domain));
 		return FALSE;
+	}
 
 	vpw = vauth_getpw(vpop_user, vpop_domain);
 	if (vpw != NULL && (vpw->pw_dir == NULL || vpw->pw_dir[0] == '\0')) {
 		/* user's homedir doesn't exist yet, create it */
+		I_DEBUG(("vpopmail: pw_dir isn't set, creating"));
+
 		if (make_user_dir(vpop_user, vpop_domain,
-				  reply->uid, reply->gid) == NULL)
+				  reply->uid, reply->gid) == NULL) {
+			i_error("vpopmail: make_user_dir(%s, %s) failed",
+				vpop_user, vpop_domain);
 			return FALSE;
+		}
 
 		vpw = vauth_getpw(vpop_user, vpop_domain);
 	}
 
-	if (vpw == NULL || (vpw->pw_gid & NO_IMAP))
+	if (vpw == NULL) {
+		I_DEBUG(("vpopmail: vauth_getpw(%s, %s) failed",
+		       vpop_user, vpop_domain));
 		return FALSE;
+	}
+
+	if (vpw->pw_gid & NO_IMAP) {
+		I_DEBUG(("vpopmail: IMAP disabled for %s@%s",
+		       vpop_user, vpop_domain));
+		return FALSE;
+	}
 
 	/* verify password */
         passdup = t_strdup_noconst(password);
@@ -56,8 +82,11 @@
 	memset(passdup, 0, strlen(passdup));
 	memset(vpw->pw_passwd, 0, strlen(vpw->pw_passwd));
 
-	if (!result)
+	if (!result) {
+		I_DEBUG(("vpopmail: password mismatch for user %s@%s",
+		       vpop_user, vpop_domain));
 		return FALSE;
+	}
 
 	/* make sure it's not giving too large values to us */
 	if (strlen(vpw->pw_dir) >= sizeof(reply->home)) {

More information about the dovecot-cvs mailing list