[exim-dev] [Bug 2199] Exim use-after-free vulnerability whil…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2199] Exim use-after-free vulnerability while reading mail header
https://bugs.exim.org/show_bug.cgi?id=2199

Git Commit <git@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |git@???


--- Comment #15 from Git Commit <git@???> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/4e6ae6235c68de243b1c2419027472d7659aa2b4

commit 4e6ae6235c68de243b1c2419027472d7659aa2b4
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Fri Nov 24 20:22:33 2017 +0000
Commit:     Jeremy Harris <jgh146exb@???>
CommitDate: Sat Nov 25 15:49:32 2017 +0000


    Avoid release of store if there have been later allocations.  Bug 2199
---
 src/src/receive.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)


diff --git a/src/src/receive.c b/src/src/receive.c
index e7e518a..d9b5001 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -1810,8 +1810,8 @@ for (;;)
(and sometimes lunatic messages can have ones that are 100s of K long) we
call store_release() for strings that have been copied - if the string is at
the start of a block (and therefore the only thing in it, because we aren't
- doing any other gets), the block gets freed. We can only do this because we
- know there are no other calls to store_get() going on. */
+ doing any other gets), the block gets freed. We can only do this release if
+ there were no allocations since the once that we want to free. */

   if (ptr >= header_size - 4)
     {
@@ -1820,9 +1820,10 @@ for (;;)
     header_size *= 2;
     if (!store_extend(next->text, oldsize, header_size))
       {
+      BOOL release_ok = store_last_get[store_pool] == next->text;
       uschar *newtext = store_get(header_size);
       memcpy(newtext, next->text, ptr);
-      store_release(next->text);
+      if (release_ok) store_release(next->text);
       next->text = newtext;
       }
     }


--
You are receiving this mail because:
You are on the CC list for the bug.