[exim-cvs] Extra paranoia around STARTTLS-with-data-in-buffe…

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Extra paranoia around STARTTLS-with-data-in-buffer.
Gitweb: http://git.exim.org/exim.git/commitdiff/da80c2a8ed49427334af613c00df65ae301cacdd
Commit:     da80c2a8ed49427334af613c00df65ae301cacdd
Parent:     084c1d8c14da86888bbffc31a54246dc6e2e8147
Author:     Phil Pennock <pdp@???>
AuthorDate: Thu Mar 24 02:37:39 2011 -0400
Committer:  Phil Pennock <pdp@???>
CommitDate: Thu Mar 24 02:37:39 2011 -0400


    Extra paranoia around STARTTLS-with-data-in-buffer.
---
 doc/doc-txt/ChangeLog |    2 ++
 src/src/smtp_in.c     |   17 +++++++++++++++++
 2 files changed, 19 insertions(+), 0 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 2b3ec85..37c7f21 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -18,6 +18,8 @@ PP/04 New "dns_use_edns0" global option.
 PP/05 Don't segfault on misconfiguration of ref:name exim-user as uid.
       Bugzilla 1098.


+PP/06 Extra paranoia around STARTTLS-with-data-in-buffer.
+

 Exim version 4.75
 -----------------
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 2ef6977..500000b 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -3844,6 +3844,23 @@ while (done <= 0)
     toomany = FALSE;
     cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = FALSE;


+    /* There's an attack where more data is read in past the STARTTLS command
+    before TLS is negotiated, then assumed to be part of the secure session
+    when used afterwards; we use segregated input buffers, so are not
+    vulnerable, but we want to note when it happens and, for sheer paranoia,
+    ensure that the buffer is "wiped".
+    Pipelining sync checks will normally have protected us too, unless disabled
+    by configuration. */
+
+    if (receive_smtp_buffered())
+      {
+      DEBUG(D_any)
+        debug_printf("Non-empty input buffer after STARTTLS; naive attack?");
+      if (tls_active < 0)
+        smtp_inend = smtp_inptr = smtp_inbuffer;
+      /* and if TLS is already active, tls_server_start() should fail */
+      }
+
     /* Attempt to start up a TLS session, and if successful, discard all
     knowledge that was obtained previously. At least, that's what the RFC says,
     and that's what happens by default. However, in order to work round YAEB,