Gitweb:
https://git.exim.org/exim.git/commitdiff/fa5f51b5b5157e55104bd10d66ccaa066090eec3
Commit: fa5f51b5b5157e55104bd10d66ccaa066090eec3
Parent: 5acbba8e07243f6c221171398d90a6c824724f45
Author: Heiko Schlittermann (HS12-RIPE) <hs@???>
AuthorDate: Sat Nov 21 22:03:03 2020 +0100
Committer: Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Thu May 27 21:30:34 2021 +0200
SECURITY: off-by-one in smtp transport (read response)
Credits: Qualys
1/ In src/transports/smtp.c:
2281 int n = sizeof(sx->buffer);
2282 uschar * rsp = sx->buffer;
2283
2284 if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
2285 { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }
This should probably be either:
rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1;
or:
rsp = sx->buffer + n; n = sizeof(sx->buffer) - n;
(not sure which) to avoid an off-by-one.
(cherry picked from commit d2c44ef5dd94f1f43ba1d1a02bc4594f4fba5e38)
(cherry picked from commit 4045cb01a590ec480f45f80967cd9c59fe23a5d0)
---
src/src/transports/smtp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 02a55f1..264ebc0 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -2475,8 +2475,8 @@ goto SEND_QUIT;
int n = sizeof(sx->buffer);
uschar * rsp = sx->buffer;
- if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
- { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }
+ if (sx->esmtp_sent && (n = Ustrlen(sx->buffer) + 1) < sizeof(sx->buffer)/2)
+ { rsp = sx->buffer + n; n = sizeof(sx->buffer) - n; }
if (smtp_write_command(sx, SCMD_FLUSH, "HELO %s\r\n", sx->helo_data) < 0)
goto SEND_FAILED;
