On Sun, Apr 19, 2026 at 08:46:49AM +0200, Alejandro Colomar via Mutt-dev wrote:
On 2026-04-19T13:51:31+0800, Kevin J. McCarthy wrote:Make sure send_token.length is 4 bytes before reading the data.Fix the buf_size type to be uint32_t instead of long. ntohl() operates on, and returns, a 32 bit unsigned integer. Most architectures now use a 64-bit long. I believe this only worked because in Little-Endian, the least-significant bits come first, so even though we were using 8 bytes of send_token.value (4 of which were out of bounds) for the cast to long, only the first 4 bytes were used to truncate to the uint32_t that ntohl() used. Likewise when we converted htonl() further down. Additionally, the comments indicate that mutt wasn't using buf_size in any case, so perhaps that also explains the lack of bug reports. Thanks to [email protected] for the security report.Reviewed-by: Alejandro Colomar <[email protected]>
Pushed to stable. Merged into master with the dprint translated to muttdbg. -- Kevin J. McCarthy GPG Fingerprint: 8975 A9B3 3AA3 7910 385C 5308 ADEF 7684 8031 6BDA
signature.asc
Description: PGP signature
