Cleanup (prevent repeated use of -p/-oMr to avoid mem leak)

(cherry picked from commit 65e061b76867a9ea7aeeb535341b790b90ae6c21)
(cherry picked from commit 35a043657fa583a0ce96be9da4fff22cb0232c4e)

3 files changed, 21 insertions, 3 deletions

diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 788444088..afd690ab8 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -4268,7 +4268,7 @@ or &%-bs%& is used. For &%-bh%&, the protocol is forced to one of the standard
 SMTP protocol names (see the description of &$received_protocol$& in section
 &<<SECTexpvar>>&). For &%-bs%&, the protocol is always &"local-"& followed by
 one of those same names. For &%-bS%& (batched SMTP) however, the protocol can
-be set by &%-oMr%&.
+be set by &%-oMr%&. Repeated use of this option is not supported.
 
 .vitem &%-oMs%&&~<&'host&~name'&>
 .oindex "&%-oMs%&"
@@ -4368,6 +4368,7 @@ host name and its colon can be omitted when only the protocol is to be set.
 Note the Exim already has two private options, &%-pd%& and &%-ps%&, that refer
 to embedded Perl. It is therefore impossible to set a protocol value of &`d`&
 or &`s`& using this option (but that does not seem a real limitation).
+Repeated use of this option is not supported.
 
 .vitem &%-q%&
 .oindex "&%-q%&"
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 5e407fc9d..74414039f 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -10,6 +10,8 @@ Exim version 4.89+fixes
 Cherry-Picked from the master development branch
 -------------------------------------------------
 
+HS/01 Cleanup, prevent repeated use of -p/-oMr (CVE-2017-1000369)
+
 
 Exim version 4.89
 -----------------
diff --git a/src/src/exim.c b/src/src/exim.c
index a6a1ea82c..394bf84f0 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -3092,7 +3092,14 @@ for (i = 1; i < argc; i++)
 
       /* -oMr: Received protocol */
 
-      else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
+      else if (Ustrcmp(argrest, "Mr") == 0)
+
+        if (received_protocol)
+          {
+          fprintf(stderr, "received_protocol is set already\n");
+          exit(EXIT_FAILURE);
+          }
+        else received_protocol = argv[++i];
 
       /* -oMs: Set sender host name */
 
@@ -3188,7 +3195,15 @@ for (i = 1; i < argc; i++)
 
     if (*argrest != 0)
       {
-      uschar *hn = Ustrchr(argrest, ':');
+      uschar *hn;
+
+      if (received_protocol)
+        {
+        fprintf(stderr, "received_protocol is set already\n");
+        exit(EXIT_FAILURE);
+        }
+
+      hn = Ustrchr(argrest, ':');
       if (hn == NULL)
         {
         received_protocol = argrest;