[exim-dev] [Bug 2199] Exim use-after-free vulnerability whil…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2199] Exim use-after-free vulnerability while reading mail header
https://bugs.exim.org/show_bug.cgi?id=2199

--- Comment #2 from meh <meh@???> ---
It does happen.

In receive.c, exim used receive_getc to get message.
1831     ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
When exim is handling BDAT command, receive_getc is bdat_getc.
In bdat_getc, after the length of BDAT is reached, bdat_getc tries to read the
next command.
smtp_in.c
 536 next_cmd:
 537   switch(smtp_read_command(TRUE, 1))
 538     {
 539     default:
 540       (void) synprot_error(L_smtp_protocol_error, 503, NULL,
 541     US"only BDAT permissible after non-LAST BDAT");


synprot_error may call store_get if any non-printable character exists because
synprot_error uses string_printing.

string.c
304 /* Get a new block of store guaranteed big enough to hold the
305 expanded string. */
306
307 ss = store_get(length + nonprintcount * 3 + 1);

This all happens in the main thread.

--
You are receiving this mail because:
You are on the CC list for the bug.