[exim-dev] [Bug 2201] Exim handles BDAT data incorrectly and…

Pàgina inicial
Delete this message
Reply to this message
Autor: admin
Data:  
A: exim-dev
Assumptes vells: [exim-dev] [Bug 2201] New: Exim handle BDAT data incorrectly and leads to crash
Assumpte: [exim-dev] [Bug 2201] Exim handles BDAT data incorrectly and leads to crash
https://bugs.exim.org/show_bug.cgi?id=2201

--- Comment #13 from Git Commit <git@???> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/527504e8d8ff7a1cd967ea57cb7f29b92b052bae

commit 527504e8d8ff7a1cd967ea57cb7f29b92b052bae
Author:     Heiko Schlittermann (HS12-RIPE) <hs@???>
AuthorDate: Mon Nov 27 22:42:33 2017 +0100
Commit:     Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Sun Dec 3 19:50:29 2017 +0100


    Chunking: do not treat the first lonely dot special. CVE-2017-16944, Bug
2201
---
 src/src/receive.c | 2 +-
 src/src/smtp_in.c | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)


diff --git a/src/src/receive.c b/src/src/receive.c
index 5dc9bb5..ae2c93b 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -1859,7 +1859,7 @@ for (;;)
prevent further reading), and break out of the loop, having freed the
empty header, and set next = NULL to indicate no data line. */

-  if (ptr == 0 && ch == '.' && (smtp_input || dot_ends))
+  if (ptr == 0 && ch == '.' && dot_ends)
     {
     ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
     if (ch == '\r')
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 28586f3..00e9d41 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -5097,17 +5097,24 @@ while (done <= 0)
       DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
                     (int)chunking_state, chunking_data_left);


+      /* push the current receive_* function on the "stack", and
+      replace them by bdat_getc(), which in turn will use the lwr_receive_*
+      functions to do the dirty work. */
       lwr_receive_getc = receive_getc;
       lwr_receive_getbuf = receive_getbuf;
       lwr_receive_ungetc = receive_ungetc;
+
       receive_getc = bdat_getc;
       receive_ungetc = bdat_ungetc;


+      dot_ends = FALSE;
+
       goto DATA_BDAT;
       }


     case DATA_CMD:
     HAD(SCH_DATA);
+    dot_ends = TRUE;


     DATA_BDAT:        /* Common code for DATA and BDAT */
     if (!discarded && recipients_count <= 0)


--
You are receiving this mail because:
You are on the CC list for the bug.