diff options
author | Phil Pennock <phil+git@pennock-tech.com> | 2020-10-29 22:40:59 -0400 |
---|---|---|
committer | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2021-04-28 00:40:24 +0200 |
commit | 467948de0c407bd2bbc2e84abbbf09f35b035538 (patch) | |
tree | 6d460345a0ab6616ac6ee82df337201709d1ce8a | |
parent | 3a54fcd1e303bf1cc49beca7ceac35d7448860a9 (diff) | |
download | exim4-467948de0c407bd2bbc2e84abbbf09f35b035538.tar.gz |
SECURITY: fix SMTP verb option parsing
A boundary case in looking for an opening quote before the closing quote could
walk off the front of the buffer.
(cherry picked from commit 515d8d43a18481d23d7cf410b8dc71b4e254ebb8)
-rw-r--r-- | doc/doc-txt/ChangeLog | 3 | ||||
-rw-r--r-- | src/src/smtp_in.c | 5 |
2 files changed, 6 insertions, 2 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 3bb5326ce..1c7c39e2c 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -196,6 +196,9 @@ PP/09 Fix security issue with too many recipients on a message (to remove a or if local additions add to the recipient list). Fixes CVE-2020-RCPTL reported by Qualys. +PP/10 Fix security issue in SMTP verb option parsing + Fixes CVE-2020-EXOPT reported by Qualys. + Exim version 4.94 ----------------- diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index f53c3cf65..a86e977ce 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -1997,12 +1997,13 @@ extract_option(uschar **name, uschar **value) uschar *n; uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1; while (isspace(*v)) v--; -v[1] = 0; +v[1] = '\0'; while (v > smtp_cmd_data && *v != '=' && !isspace(*v)) { /* Take care to not stop at a space embedded in a quoted local-part */ - if (*v == '"') do v--; while (*v != '"' && v > smtp_cmd_data+1); + if ((*v == '"') && (v > smtp_cmd_data + 1)) + do v--; while (*v != '"' && v > smtp_cmd_data+1); v--; } |