https://bugs.exim.org/show_bug.cgi?id=2201
--- Comment #4 from Heiko Schlittermann <hs@???> ---
(In reply to meh from comment #0)
> While parsing BDAT data header, exim still scans for '.' and consider it the
> end of mail.
> https://github.com/Exim/exim/blob/master/src/src/receive.c#L1867
>
> Exim goes into an incorrect state after this message is sent because the
> function pointer receive_getc is not reset. If the following command is also
> a BDAT, receive_getc and lwr_receive_getc become the same and an infinite
> loop occurs inside bdat_getc. Program crashes due to running out of stack.
> https://github.com/Exim/exim/blob/master/src/src/smtp_in.c#L547
>
> Here is a simple PoC which leads to an infinite loop and program crash:
> ```
> EHLO localhost
> MAIL FROM:<test@localhost>
> RCPT TO:<test@localhost>
> BDAT 10
> .
> BDAT 0
> ```
> // Tested on current master, ubuntu16.04.
I can reproduce it, though with a slightly changed "challenge".
--
You are receiving this mail because:
You are on the CC list for the bug.