[PATCH 1 of 2] Mail: s->login and s->passwd now cleared on errors
Maxim Dounin
mdounin at mdounin.ru
Thu Aug 14 21:01:01 UTC 2025
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1755187422 -10800
# Thu Aug 14 19:03:42 2025 +0300
# Node ID 13ee0b2ffee6d852bc5aa4e10fcf217a982c8e79
# Parent 870dfc16d381d90644b08159dd84d1ee391cf630
Mail: s->login and s->passwd now cleared on errors.
This ensures that rejected logins won't be used, such as in logs.
Further, this fixes using uninitialized memory in logs when an error
is detected in the middle of an auth mechanism parsing, with s->login
partially set, as well as sending uninitialized memory to auth_http
server with "auth_smtp none;" (known as CVE-2025-53859, though security
impact of this issue is questionable).
diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c
--- a/src/mail/ngx_mail_auth_http_module.c
+++ b/src/mail/ngx_mail_auth_http_module.c
@@ -986,6 +986,8 @@ ngx_mail_auth_send_error(ngx_mail_sessio
s->state = 0;
s->mail_state = 0;
s->tag.len = 0;
+ s->login.len = 0;
+ s->passwd.len = 0;
} else {
s->auth_err.len -= s->tag.len;
diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
--- a/src/mail/ngx_mail_handler.c
+++ b/src/mail/ngx_mail_handler.c
@@ -776,6 +776,8 @@ ngx_mail_auth_xoauth2(ngx_mail_session_t
s->quit = s->auth_quit;
s->state = 0;
s->mail_state = 0;
+ s->login.len = 0;
+ s->passwd.len = 0;
ngx_str_null(&s->auth_err);
return NGX_OK;
}
@@ -885,6 +887,8 @@ ngx_mail_auth_oauthbearer(ngx_mail_sessi
s->quit = s->auth_quit;
s->state = 0;
s->mail_state = 0;
+ s->login.len = 0;
+ s->passwd.len = 0;
ngx_str_null(&s->auth_err);
return NGX_OK;
}
diff --git a/src/mail/ngx_mail_imap_handler.c b/src/mail/ngx_mail_imap_handler.c
--- a/src/mail/ngx_mail_imap_handler.c
+++ b/src/mail/ngx_mail_imap_handler.c
@@ -251,9 +251,11 @@ ngx_mail_imap_auth_state(ngx_event_t *re
return;
case NGX_MAIL_PARSE_INVALID_COMMAND:
+ s->mail_state = ngx_imap_start;
s->state = 0;
+ s->login.len = 0;
+ s->passwd.len = 0;
ngx_str_set(&s->out, imap_invalid_command);
- s->mail_state = ngx_imap_start;
break;
}
diff --git a/src/mail/ngx_mail_pop3_handler.c b/src/mail/ngx_mail_pop3_handler.c
--- a/src/mail/ngx_mail_pop3_handler.c
+++ b/src/mail/ngx_mail_pop3_handler.c
@@ -290,6 +290,8 @@ ngx_mail_pop3_auth_state(ngx_event_t *re
case NGX_MAIL_PARSE_INVALID_COMMAND:
s->mail_state = ngx_pop3_start;
s->state = 0;
+ s->login.len = 0;
+ s->passwd.len = 0;
ngx_str_set(&s->out, pop3_invalid_command);
diff --git a/src/mail/ngx_mail_smtp_handler.c b/src/mail/ngx_mail_smtp_handler.c
--- a/src/mail/ngx_mail_smtp_handler.c
+++ b/src/mail/ngx_mail_smtp_handler.c
@@ -577,6 +577,8 @@ ngx_mail_smtp_auth_state(ngx_event_t *re
case NGX_MAIL_PARSE_INVALID_COMMAND:
s->mail_state = ngx_smtp_start;
s->state = 0;
+ s->login.len = 0;
+ s->passwd.len = 0;
ngx_str_set(&s->out, smtp_invalid_command);
/* fall through */
More information about the nginx-devel
mailing list