diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2019-02-12 16:52:51 +0000 |
---|---|---|
committer | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2019-07-19 08:55:05 +0200 |
commit | 0654d3440d8735221a58f96f5343fbe243171711 (patch) | |
tree | ea69132d26181f8ff1a7324e17d058dcbf0128f9 | |
parent | a8761d62664f96259d815ab84a7a734829972fb3 (diff) | |
download | exim4-0654d3440d8735221a58f96f5343fbe243171711.tar.gz |
Fix transport buffer size handling
Broken-by: 59932f7dcd
(cherry picked from commit 05bf16f6217e93594929c8bbbbbc852caf3ed374)
(cherry picked from commit 1cfa7822ca8928f95160df8742af11fff888ae7e)
-rw-r--r-- | doc/doc-txt/ChangeLog | 7 | ||||
-rw-r--r-- | src/src/transport.c | 4 |
2 files changed, 9 insertions, 2 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index d182115e4..1e4322491 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -11,6 +11,13 @@ Exim version 4.92.1 JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917, OVE-20190718-0006) +Since version 4.92 +------------------ + +JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible + buffer overrun for (non-chunking) other transports. + + Exim version 4.92 ----------------- diff --git a/src/src/transport.c b/src/src/transport.c index 8ccdd0389..a069b8833 100644 --- a/src/src/transport.c +++ b/src/src/transport.c @@ -1115,13 +1115,13 @@ DEBUG(D_transport) if (!(tctx->options & topt_no_body)) { - int size = size_limit; + unsigned long size = size_limit > 0 ? size_limit : ULONG_MAX; nl_check_length = abs(nl_check_length); nl_partial_match = 0; if (lseek(deliver_datafile, SPOOL_DATA_START_OFFSET, SEEK_SET) < 0) return FALSE; - while ( (len = MAX(DELIVER_IN_BUFFER_SIZE, size)) > 0 + while ( (len = MIN(DELIVER_IN_BUFFER_SIZE, size)) > 0 && (len = read(deliver_datafile, deliver_in_buffer, len)) > 0) { if (!write_chunk(tctx, deliver_in_buffer, len)) |