Gitweb:
https://git.exim.org/exim.git/commitdiff/518f0a0dd6df6f0d0ea51bfa126982d134e7a7ff
Commit: 518f0a0dd6df6f0d0ea51bfa126982d134e7a7ff
Parent: 0695aae1eb75b439862d0f7fbf099b5d08f55af0
Author: Phil Pennock <phil+git@???>
AuthorDate: Thu Oct 29 22:40:59 2020 -0400
Committer: Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Thu May 27 21:30:30 2021 +0200
SECURITY: fix SMTP verb option parsing
A boundary case in looking for an opening quote before the closing quote could
walk off the front of the buffer.
(cherry picked from commit 515d8d43a18481d23d7cf410b8dc71b4e254ebb8)
(cherry picked from commit 467948de0c407bd2bbc2e84abbbf09f35b035538)
---
doc/doc-txt/ChangeLog | 3 +++
src/src/smtp_in.c | 5 +++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 3d0e638..9837d6c 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -285,6 +285,9 @@ PP/09 Fix security issue with too many recipients on a message (to remove a
or if local additions add to the recipient list).
Fixes CVE-2020-RCPTL reported by Qualys.
+PP/10 Fix security issue in SMTP verb option parsing
+ Fixes CVE-2020-EXOPT reported by Qualys.
+
Exim version 4.94
-----------------
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index d60e7d5..4f16fd4 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -1969,12 +1969,13 @@ extract_option(uschar **name, uschar **value)
uschar *n;
uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
while (isspace(*v)) v--;
-v[1] = 0;
+v[1] = '\0';
while (v > smtp_cmd_data && *v != '=' && !isspace(*v))
{
/* Take care to not stop at a space embedded in a quoted local-part */
- if (*v == '"') do v--; while (*v != '"' && v > smtp_cmd_data+1);
+ if ((*v == '"') && (v > smtp_cmd_data + 1))
+ do v--; while (*v != '"' && v > smtp_cmd_data+1);
v--;
}
