Gitweb:
http://git.exim.org/exim.git/commitdiff/4e7ee01264c430b044fd81cbc79a09ee0348d018
Commit: 4e7ee01264c430b044fd81cbc79a09ee0348d018
Parent: da80c2a8ed49427334af613c00df65ae301cacdd
Author: Phil Pennock <pdp@???>
AuthorDate: Thu Mar 24 04:40:33 2011 -0400
Committer: Phil Pennock <pdp@???>
CommitDate: Thu Mar 24 04:40:33 2011 -0400
Also memset(.., 0, ..) the pre-TLS input buffer.
---
doc/doc-txt/ChangeLog | 3 ++-
src/src/smtp_in.c | 9 +++++++++
2 files changed, 11 insertions(+), 1 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 37c7f21..ce78086 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -18,7 +18,8 @@ PP/04 New "dns_use_edns0" global option.
PP/05 Don't segfault on misconfiguration of ref:name exim-user as uid.
Bugzilla 1098.
-PP/06 Extra paranoia around STARTTLS-with-data-in-buffer.
+PP/06 Extra paranoia around buffer usage at the STARTTLS transition.
+ nb: Exim is not vulnerable to http://www.kb.cert.org/vuls/id/555316
Exim version 4.75
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 500000b..38c7afc 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -3861,6 +3861,15 @@ while (done <= 0)
/* and if TLS is already active, tls_server_start() should fail */
}
+ /* There is nothing we value in the input buffer and if TLS is succesfully
+ negotiated, we won't use this buffer again; if TLS fails, we'll just read
+ fresh content into it. The buffer contains arbitrary content from an
+ untrusted remote source; eg: NOOP <shellcode>\r\nSTARTTLS\r\n
+ It seems safest to just wipe away the content rather than leave it as a
+ target to jump to. */
+
+ memset(smtp_inbuffer, 0, in_buffer_size);
+
/* Attempt to start up a TLS session, and if successful, discard all
knowledge that was obtained previously. At least, that's what the RFC says,
and that's what happens by default. However, in order to work round YAEB,
