$OpenBSD: patch-lib_smtp_c,v 1.2 2013/02/08 16:27:12 jasper Exp $

Security fix for CVE-2013-0249, smtp_state_authdigest_resp()
buffer overflow vulnerability.

Advisory:
http://curl.haxx.se/docs/adv_20130206.html

Backported from:
http://curl.haxx.se/curl-sasl.patch

--- lib/smtp.c.orig	Tue May 22 23:36:17 2012
+++ lib/smtp.c	Fri Feb  8 13:28:22 2013
@@ -964,7 +964,7 @@ static CURLcode smtp_state_authdigest_resp(struct conn
     snprintf(&HA1_hex[2 * i], 3, "%02x", digest[i]);
 
   /* Orepare URL string, append realm to the protocol */
-  strcat(uri, realm);
+  strlcat(uri, realm, sizeof(uri));
 
   /* Calculate H(A2) */
   ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
@@ -1008,20 +1008,11 @@ static CURLcode smtp_state_authdigest_resp(struct conn
   for(i = 0; i < MD5_DIGEST_LEN; i++)
     snprintf(&resp_hash_hex[2 * i], 3, "%02x", digest[i]);
 
-  strcpy(response, "username=\"");
-  strcat(response, conn->user);
-  strcat(response, "\",realm=\"");
-  strcat(response, realm);
-  strcat(response, "\",nonce=\"");
-  strcat(response, nonce);
-  strcat(response, "\",cnonce=\"");
-  strcat(response, cnonce);
-  strcat(response, "\",nc=");
-  strcat(response, nonceCount);
-  strcat(response, ",digest-uri=\"");
-  strcat(response, uri);
-  strcat(response, "\",response=");
-  strcat(response, resp_hash_hex);
+  snprintf(response, sizeof(response),
+           "username=\"%s\",realm=\"%s\",nonce=\"%s\","
+           "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s",
+           conn->user, realm, nonce,
+           cnonce, nonceCount, uri, resp_hash_hex);
 
   /* Encode it to base64 and send it */
   result = Curl_base64_encode(data, response, 0, &rplyb64, &len);
