diff options
author | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2020-11-21 22:03:03 +0100 |
---|---|---|
committer | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2021-04-28 00:40:28 +0200 |
commit | 4045cb01a590ec480f45f80967cd9c59fe23a5d0 (patch) | |
tree | 5ee1d1172de3e9f6e0000b9470c12a5905a41d92 | |
parent | 125f0d4afbc858cf514c29326a3016c2d9d7bdc1 (diff) | |
download | exim4-4045cb01a590ec480f45f80967cd9c59fe23a5d0.tar.gz |
SECURITY: off-by-one in smtp transport (read response)
Credits: Qualys
1/ In src/transports/smtp.c:
2281 int n = sizeof(sx->buffer);
2282 uschar * rsp = sx->buffer;
2283
2284 if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
2285 { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }
This should probably be either:
rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1;
or:
rsp = sx->buffer + n; n = sizeof(sx->buffer) - n;
(not sure which) to avoid an off-by-one.
(cherry picked from commit d2c44ef5dd94f1f43ba1d1a02bc4594f4fba5e38)
-rw-r--r-- | src/src/transports/smtp.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 6540e4d2b..f26e2337a 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -2359,8 +2359,8 @@ goto SEND_QUIT; int n = sizeof(sx->buffer); uschar * rsp = sx->buffer; - if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2) - { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; } + if (sx->esmtp_sent && (n = Ustrlen(sx->buffer) + 1) < sizeof(sx->buffer)/2) + { rsp = sx->buffer + n; n = sizeof(sx->buffer) - n; } if (smtp_write_command(sx, SCMD_FLUSH, "HELO %s\r\n", sx->helo_data) < 0) goto SEND_FAILED; |