https://bugs.exim.org/show_bug.cgi?id=2201
--- Comment #13 from Git Commit <git@???> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/527504e8d8ff7a1cd967ea57cb7f29b92b052bae
commit 527504e8d8ff7a1cd967ea57cb7f29b92b052bae
Author: Heiko Schlittermann (HS12-RIPE) <hs@???>
AuthorDate: Mon Nov 27 22:42:33 2017 +0100
Commit: Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Sun Dec 3 19:50:29 2017 +0100
Chunking: do not treat the first lonely dot special. CVE-2017-16944, Bug
2201
---
src/src/receive.c | 2 +-
src/src/smtp_in.c | 7 +++++++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/src/receive.c b/src/src/receive.c
index 5dc9bb5..ae2c93b 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -1859,7 +1859,7 @@ for (;;)
prevent further reading), and break out of the loop, having freed the
empty header, and set next = NULL to indicate no data line. */
- if (ptr == 0 && ch == '.' && (smtp_input || dot_ends))
+ if (ptr == 0 && ch == '.' && dot_ends)
{
ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
if (ch == '\r')
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 28586f3..00e9d41 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -5097,17 +5097,24 @@ while (done <= 0)
DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
(int)chunking_state, chunking_data_left);
+ /* push the current receive_* function on the "stack", and
+ replace them by bdat_getc(), which in turn will use the lwr_receive_*
+ functions to do the dirty work. */
lwr_receive_getc = receive_getc;
lwr_receive_getbuf = receive_getbuf;
lwr_receive_ungetc = receive_ungetc;
+
receive_getc = bdat_getc;
receive_ungetc = bdat_ungetc;
+ dot_ends = FALSE;
+
goto DATA_BDAT;
}
case DATA_CMD:
HAD(SCH_DATA);
+ dot_ends = TRUE;
DATA_BDAT: /* Common code for DATA and BDAT */
if (!discarded && recipients_count <= 0)
--
You are receiving this mail because:
You are on the CC list for the bug.
