[exim-dev] [Bug 2199] Exim use-after-free vulnerability whil…

Top Page
This message is part of the following thread:
M++++++++++++++++++\the complete thread tree sorted by date
MMMMMMMMMMMMMMMMMMMMadmin at <-
admin at ->
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2199] Exim use-after-free vulnerability while reading mail header
https://bugs.exim.org/show_bug.cgi?id=2199

Jeremy Harris <jgh146exb@???> changed: 

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|nigel@???              |jgh146exb@???


--- Comment #12 from Jeremy Harris <jgh146exb@???> ---
Please test this possible fix: 

     if (!store_extend(next->text, oldsize, header_size))
       {
+      BOOL release_ok = store_last_get[store_pool] == next->text;
       uschar *newtext = store_get(header_size);
       memcpy(newtext, next->text, ptr);
-      store_release(next->text);
+      if (release_ok) store_release(next->text);
       next->text = newtext;
       }



Also: you originally said "exploitable to RCE". Is that "Remote Code
Execution"?
If so, how?
What about "uaf" - what is that?

--
You are receiving this mail because:
You are on the CC list for the bug.
This message was posted to the following mailing lists:
Exim-dev
Mailing List Info | Nearby Messages		<-[exim-dev] [Bug 2201] Exim handles BDAT data incorrectly and leads to crash[exim-dev] [Bug 2180] DKIM oversigning->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)