[nginx] Mail: s->login and s->passwd now cleared on errors.
Maxim Dounin
mdounin at mdounin.ru
Thu Aug 21 17:08:51 UTC 2025
details: http://freenginx.org/hg/nginx/rev/a6d2f13a8539
branches:
changeset: 9412:a6d2f13a8539
user: Maxim Dounin <mdounin at mdounin.ru>
date: Thu Aug 21 06:02:01 2025 +0300
description:
Mail: s->login and s->passwd now cleared on errors.
This ensures that rejected logins won't be used, such as in logs.
Further, this fixes using uninitialized memory in logs when an error
is detected in the middle of an auth mechanism parsing, with s->login
partially set, as well as sending uninitialized memory to auth_http
server with "auth_smtp none;" (known as CVE-2025-53859, though security
impact of this issue is questionable).
diffstat:
src/mail/ngx_mail_auth_http_module.c | 2 ++
src/mail/ngx_mail_handler.c | 4 ++++
src/mail/ngx_mail_imap_handler.c | 4 +++-
src/mail/ngx_mail_pop3_handler.c | 2 ++
src/mail/ngx_mail_smtp_handler.c | 2 ++
5 files changed, 13 insertions(+), 1 deletions(-)
diffs (73 lines):
diff --git a/src/mail/ngx_mail_auth_http_module.c b/src/mail/ngx_mail_auth_http_module.c
--- a/src/mail/ngx_mail_auth_http_module.c
+++ b/src/mail/ngx_mail_auth_http_module.c
@@ -986,6 +986,8 @@ ngx_mail_auth_send_error(ngx_mail_sessio
s->state = 0;
s->mail_state = 0;
s->tag.len = 0;
+ s->login.len = 0;
+ s->passwd.len = 0;
} else {
s->auth_err.len -= s->tag.len;
diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
--- a/src/mail/ngx_mail_handler.c
+++ b/src/mail/ngx_mail_handler.c
@@ -776,6 +776,8 @@ ngx_mail_auth_xoauth2(ngx_mail_session_t
s->quit = s->auth_quit;
s->state = 0;
s->mail_state = 0;
+ s->login.len = 0;
+ s->passwd.len = 0;
ngx_str_null(&s->auth_err);
return NGX_OK;
}
@@ -885,6 +887,8 @@ ngx_mail_auth_oauthbearer(ngx_mail_sessi
s->quit = s->auth_quit;
s->state = 0;
s->mail_state = 0;
+ s->login.len = 0;
+ s->passwd.len = 0;
ngx_str_null(&s->auth_err);
return NGX_OK;
}
diff --git a/src/mail/ngx_mail_imap_handler.c b/src/mail/ngx_mail_imap_handler.c
--- a/src/mail/ngx_mail_imap_handler.c
+++ b/src/mail/ngx_mail_imap_handler.c
@@ -251,9 +251,11 @@ ngx_mail_imap_auth_state(ngx_event_t *re
return;
case NGX_MAIL_PARSE_INVALID_COMMAND:
+ s->mail_state = ngx_imap_start;
s->state = 0;
+ s->login.len = 0;
+ s->passwd.len = 0;
ngx_str_set(&s->out, imap_invalid_command);
- s->mail_state = ngx_imap_start;
break;
}
diff --git a/src/mail/ngx_mail_pop3_handler.c b/src/mail/ngx_mail_pop3_handler.c
--- a/src/mail/ngx_mail_pop3_handler.c
+++ b/src/mail/ngx_mail_pop3_handler.c
@@ -290,6 +290,8 @@ ngx_mail_pop3_auth_state(ngx_event_t *re
case NGX_MAIL_PARSE_INVALID_COMMAND:
s->mail_state = ngx_pop3_start;
s->state = 0;
+ s->login.len = 0;
+ s->passwd.len = 0;
ngx_str_set(&s->out, pop3_invalid_command);
diff --git a/src/mail/ngx_mail_smtp_handler.c b/src/mail/ngx_mail_smtp_handler.c
--- a/src/mail/ngx_mail_smtp_handler.c
+++ b/src/mail/ngx_mail_smtp_handler.c
@@ -577,6 +577,8 @@ ngx_mail_smtp_auth_state(ngx_event_t *re
case NGX_MAIL_PARSE_INVALID_COMMAND:
s->mail_state = ngx_smtp_start;
s->state = 0;
+ s->login.len = 0;
+ s->passwd.len = 0;
ngx_str_set(&s->out, smtp_invalid_command);
/* fall through */
More information about the nginx-devel
mailing list