Gitweb:
https://git.exim.org/exim.git/commitdiff/e0ae68c8ee6788508da4989ee0d6fcbaf40c7b97
Commit: e0ae68c8ee6788508da4989ee0d6fcbaf40c7b97
Parent: 7044dd8fd62e215572ecf5a2c7f1bb9581cf6628
Author: Gavan <gavan@???>
AuthorDate: Fri Aug 21 15:46:01 2020 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Fri Aug 21 15:46:01 2020 +0100
Taint: fix off-by-one in is_tainted(). Bug 2634
---
doc/doc-txt/ChangeLog | 5 +++++
src/src/store.c | 4 ++--
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index eb64e0a..9048e3f 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -111,6 +111,11 @@ JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be
JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI
in quotes.
+JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for
+ is_tainted() had an off-by-one error in the overenthusiastic direction.
+ Find and fix by Gavan. Although NetBSD is not a supported platform for
+ 4.94 this bug could affect other platforms.
+
Exim version 4.94
-----------------
diff --git a/src/src/store.c b/src/src/store.c
index 47d6f91..df7078f 100644
--- a/src/src/store.c
+++ b/src/src/store.c
@@ -188,14 +188,14 @@ for (int pool = POOL_TAINT_BASE; pool < nelem(chainbase); pool++)
if ((b = current_block[pool]))
{
uschar * bc = US b + ALIGNED_SIZEOF_STOREBLOCK;
- if (US p >= bc && US p <= bc + b->length) return TRUE;
+ if (US p >= bc && US p < bc + b->length) return TRUE;
}
for (int pool = POOL_TAINT_BASE; pool < nelem(chainbase); pool++)
for (b = chainbase[pool]; b; b = b->next)
{
uschar * bc = US b + ALIGNED_SIZEOF_STOREBLOCK;
- if (US p >= bc && US p <= bc + b->length) return TRUE;
+ if (US p >= bc && US p < bc + b->length) return TRUE;
}
return FALSE;
}
