[exim-dev] [Bug 1182] New: smtp_command variable uninitialis…

Top Page
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-dev
New-Topics: [exim-dev] [Bug 1182] smtp_command variable uninitialised, [exim-dev] [Bug 1182] smtp_command variable uninitialised
Subject: [exim-dev] [Bug 1182] New: smtp_command variable uninitialised
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1182
           Summary: smtp_command variable uninitialised
           Product: Exim
           Version: 4.77
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: bug
          Priority: low
         Component: String expansion
        AssignedTo: nigel@???
        ReportedBy: jgh146exb@???
                CC: exim-dev@???



Before HELO the $smtp_command variable is an allocated but uninitialised
buffer. It is possible to access it in a notquit acl, e.g. on a tcp-only
connection without smtp content. Such connections may be used either by
attackers or by system-liveness monitoring.

Suggested patch:

--- exim-4.77/src/smtp_in.c.smtp_command_var_init       2011-11-30
14:21:49.361972279 +0000
+++ exim-4.77/src/smtp_in.c     2011-11-30 14:22:08.696972268 +0000
@@ -1395,6 +1395,7 @@ smtp_cmd_buffer = (uschar *)malloc(2*smt
 if (smtp_cmd_buffer == NULL)
   log_write(0, LOG_MAIN|LOG_PANIC_DIE,
     "malloc() failed for SMTP command buffer");
+smtp_cmd_buffer[0] = 0;
 smtp_data_buffer = smtp_cmd_buffer + smtp_cmd_buffer_size + 1;


/* For batched input, the protocol setting can be overridden from the


--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email