From 18bfc8f2d7bb707c65065760d2dd134e5cf110ff Mon Sep 17 00:00:00 2001
From: Steve Holme <steve_holme@hotmail.com>
Date: Sun, 28 Apr 2013 12:20:14 +0100
Subject: pop3: Added 255 octet limit check when sending initial response

Added 255 octet limit check as per Section 4. Paragraph 8 of RFC-5034.
---
 lib/pop3.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib/pop3.c')

diff --git a/lib/pop3.c b/lib/pop3.c
index 339d6e4ee..bace72a11 100644
--- a/lib/pop3.c
+++ b/lib/pop3.c
@@ -629,7 +629,8 @@ static CURLcode pop3_perform_authenticate(struct connectdata *conn)
 
   if(mech && (pop3c->preftype & POP3_TYPE_SASL)) {
     /* Perform SASL based authentication */
-    if(initresp) {
+    if(initresp &&
+       8 + strlen(mech) + len <= 255) { /* AUTH <mech> ...<crlf> */
       result = Curl_pp_sendf(&pop3c->pp, "AUTH %s %s", mech, initresp);
 
       if(!result)
-- 
cgit v1.2.3