[PATCH 2/2] managesieve-login: Verify AUTHENTICATE initial response size isn't too...

This prevents DoSing the managesieve-login by sending an excessively large
initial response size, which causes a huge memory allocation.

Gbp-Pq: Name CVE-2026-27858.patch

diff --git a/pigeonhole/src/managesieve-login/client-authenticate.c b/pigeonhole/src/managesieve-login/client-authenticate.c
index 822dae6a9297fe1cf643fc9d720dc51d240b7a44..5aeccd3526f7ba463b2e63b2a18488ae93bd3710 100644 (file)
--- a/pigeonhole/src/managesieve-login/client-authenticate.c
+++ b/pigeonhole/src/managesieve-login/client-authenticate.c
@@ -196,6 +196,11 @@ managesieve_client_auth_read_response(struct managesieve_client *msieve_client,
                if (i_stream_get_size(msieve_client->auth_response_input,
                                      FALSE, &resp_size) <= 0)
                        resp_size = 0;
+               else if (resp_size > LOGIN_MAX_AUTH_BUF_SIZE) {
+                       client_destroy(client,
+                                      "Authentication response too large");
+                       return -1;
+               }
 
                if (client->auth_response == NULL) {
                        client->auth_response =