diff options
author | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2020-11-21 22:18:56 +0100 |
---|---|---|
committer | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2021-04-28 00:40:29 +0200 |
commit | 2d9f1837bdd6c5946cb9cd997544eefc8cc14fc4 (patch) | |
tree | 53a2d287f4c6769dd694db5435c1b74a5e844045 | |
parent | 4045cb01a590ec480f45f80967cd9c59fe23a5d0 (diff) | |
download | exim4-2d9f1837bdd6c5946cb9cd997544eefc8cc14fc4.tar.gz |
SECURITY: Don't miss the very last byte when reading long lines from -H
Credits: Qualys
2/ In src/spool_in.c:
462 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1
463 && big_buffer[len-1] != '\n'
464 )
465 { /* buffer not big enough for line; certs make this possible */
466 uschar * buf;
467 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
468 buf = store_get_perm(big_buffer_size *= 2, FALSE);
469 memcpy(buf, big_buffer, --len);
The --len in memcpy() chops off a useful byte (we know for sure that
big_buffer[len-1] is not a '\n' because we entered the while loop).
(cherry picked from commit 58454ea01c2e817481770954edf09ad82f3cd417)
-rw-r--r-- | src/src/spool_in.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/src/spool_in.c b/src/src/spool_in.c index 35e44df26..1433123c3 100644 --- a/src/src/spool_in.c +++ b/src/src/spool_in.c @@ -466,7 +466,7 @@ for (;;) uschar * buf; if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR; buf = store_get_perm(big_buffer_size *= 2, FALSE); - memcpy(buf, big_buffer, --len); + memcpy(buf, big_buffer, len); big_buffer = buf; if (Ufgets(big_buffer+len, big_buffer_size-len, fp) == NULL) goto SPOOL_READ_ERROR; |