libESMTP before version 1.1.0 mishandles domain copying into a fixed-size buffer in ntlm_build_type_2 in ntlm/ntlmstruct.c. During NTLM authentication, a sufficiently long domain, workstation or user name would overwrite the stack. Furthermore, nt_unicode() is called with an incorrect length argument, potentially causing it to read uninitialised memory or possibly a SIGSEGV or SIGBUS under the same circumstances.
libESMTP before version 1.1.0 mishandles domain copying into a fixed-size buffer in ntlm_build_type_2 in ntlm/ntlmstruct.c. During NTLM authentication, a sufficiently long domain, workstation or user name would overwrite the stack. Furthermore, nt_unicode() is called with an incorrect length argument, potentially causing it to read uninitialised memory or possibly a SIGSEGV or SIGBUS under the same circumstances.
https://github.com/libesmtp/libESMTP/issues/6 https://github.com/libesmtp/libESMTP/commit/8c85278d28ff4da32106714a1420371fe37ef349