------- You are receiving this mail because: -------
You are on the CC list for the bug.
http://bugs.exim.org/show_bug.cgi?id=1182
Summary: smtp_command variable uninitialised
Product: Exim
Version: 4.77
Platform: All
OS/Version: All
Status: NEW
Severity: bug
Priority: low
Component: String expansion
AssignedTo: nigel@???
ReportedBy: jgh146exb@???
CC: exim-dev@???
Before HELO the $smtp_command variable is an allocated but uninitialised
buffer. It is possible to access it in a notquit acl, e.g. on a tcp-only
connection without smtp content. Such connections may be used either by
attackers or by system-liveness monitoring.
Suggested patch:
--- exim-4.77/src/smtp_in.c.smtp_command_var_init 2011-11-30
14:21:49.361972279 +0000
+++ exim-4.77/src/smtp_in.c 2011-11-30 14:22:08.696972268 +0000
@@ -1395,6 +1395,7 @@ smtp_cmd_buffer = (uschar *)malloc(2*smt
if (smtp_cmd_buffer == NULL)
log_write(0, LOG_MAIN|LOG_PANIC_DIE,
"malloc() failed for SMTP command buffer");
+smtp_cmd_buffer[0] = 0;
smtp_data_buffer = smtp_cmd_buffer + smtp_cmd_buffer_size + 1;
/* For batched input, the protocol setting can be overridden from the
--
Configure bugmail:
http://bugs.exim.org/userprefs.cgi?tab=email
