diff options
author | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2021-03-29 22:16:28 +0200 |
---|---|---|
committer | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2021-04-28 00:40:39 +0200 |
commit | dbc3ab675c2e5e2a07ed13dc5ede4daa018600e7 (patch) | |
tree | 1d19392426d8cde6561212b1749980ed88faa958 | |
parent | a53a7fcfb8216764e4420d8d263356b4ed7d5cef (diff) | |
download | exim4-dbc3ab675c2e5e2a07ed13dc5ede4daa018600e7.tar.gz |
CVE-2020-28010: Heap out-of-bounds write in main()
Based on Phil Pennock's 0f57feb4. Done by Qualys, modified by me.
(cherry picked from commit b0982c2776048948ebae48574b70fa487684cb8c)
-rw-r--r-- | src/src/exim.c | 9 |
1 files changed, 3 insertions, 6 deletions
diff --git a/src/src/exim.c b/src/src/exim.c index f7a45ff09..975b39a58 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -3839,7 +3839,6 @@ during readconf_main() some expansion takes place already. */ /* Store the initial cwd before we change directories. Can be NULL if the dir has already been unlinked. */ -errno = 0; initial_cwd = os_getcwd(NULL, 0); if (!initial_cwd && errno) exim_fail("exim: getting initial cwd failed: %s\n", strerror(errno)); @@ -4133,11 +4132,9 @@ if ( (debug_selector & D_any || LOGGING(arguments)) p += 13; else { - Ustrncpy(p + 4, initial_cwd, big_buffer_size-5); - p += 4 + Ustrlen(initial_cwd); - /* in case p is near the end and we don't provide enough space for - * string_format to be willing to write. */ - *p = '\0'; + p += 4; + snprintf(CS p, big_buffer_size - (p - big_buffer), "%s", CCS initial_cwd); + p += Ustrlen(CCS p); } (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc); |