diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2021-03-04 22:19:08 +0100 |
---|---|---|
committer | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2021-04-28 00:40:35 +0200 |
commit | 99d057fad97a2def9f000ebccda83e4008112819 (patch) | |
tree | ba8493e8c22860fb830aa044ee95cfaa435c3709 | |
parent | 13f9998ebb937970d1d9d18f205a6e03e14105b4 (diff) | |
download | exim4-99d057fad97a2def9f000ebccda83e4008112819.tar.gz |
CVE-2020-28019: Failure to reset function pointer after BDAT error
Based on Phil Pennock's commits 4715403e and 151ffd72, and Jeremy
Harris's commits aa171254 and 9aceb5c2.
(cherry picked from commit 0a3fbb7e3be375bc93b8e359c6aff333c7c2d76f)
-rw-r--r-- | src/src/smtp_in.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 0b6733673..190064eed 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -794,15 +794,22 @@ else } receive_getc = bdat_getc; +receive_getbuf = bdat_getbuf; receive_ungetc = bdat_ungetc; } static inline void bdat_pop_receive_functions(void) { +if (lwr_receive_getc == NULL) + { + DEBUG(D_receive) debug_printf("chunking double-pop receive functions\n"); + return; + } receive_getc = lwr_receive_getc; receive_getbuf = lwr_receive_getbuf; receive_ungetc = lwr_receive_ungetc; + lwr_receive_getc = NULL; lwr_receive_getbuf = NULL; lwr_receive_ungetc = NULL; @@ -5319,7 +5326,7 @@ while (done <= 0) DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n", (int)chunking_state, chunking_data_left); - f.bdat_readers_wanted = TRUE; + f.bdat_readers_wanted = TRUE; /* FIXME: redundant vs chunking_state? */ f.dot_ends = FALSE; goto DATA_BDAT; @@ -5369,6 +5376,12 @@ while (done <= 0) sender_address = NULL; /* This will allow a new MAIL without RSET */ sender_address_unrewritten = NULL; smtp_printf("554 Too many recipients\r\n", FALSE); + + if (chunking_state > CHUNKING_OFFERED) + { + bdat_push_receive_functions(); + bdat_flush_data(); + } break; } |