[exim-cvs] SECURITY: Don't miss the very last byte when read…

Page principale
Supprimer ce message
Répondre à ce message
Auteur: Exim Git Commits Mailing List
Date:  
À: exim-cvs
Sujet: [exim-cvs] SECURITY: Don't miss the very last byte when reading long lines from -H
Gitweb: https://git.exim.org/exim.git/commitdiff/5dad84609e49ce4c45d29ccb98b1b7b1f296d69e
Commit:     5dad84609e49ce4c45d29ccb98b1b7b1f296d69e
Parent:     fa5f51b5b5157e55104bd10d66ccaa066090eec3
Author:     Heiko Schlittermann (HS12-RIPE) <hs@???>
AuthorDate: Sat Nov 21 22:18:56 2020 +0100
Committer:  Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Thu May 27 21:30:35 2021 +0200


    SECURITY: Don't miss the very last byte when reading long lines from -H


    Credits: Qualys


        2/ In src/spool_in.c:


         462   while (  (len = Ustrlen(big_buffer)) == big_buffer_size-1
         463         && big_buffer[len-1] != '\n'
         464         )
         465     {   /* buffer not big enough for line; certs make this possible */
         466     uschar * buf;
         467     if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
         468     buf = store_get_perm(big_buffer_size *= 2, FALSE);
         469     memcpy(buf, big_buffer, --len);


        The --len in memcpy() chops off a useful byte (we know for sure that
        big_buffer[len-1] is not a '\n' because we entered the while loop).


    (cherry picked from commit 58454ea01c2e817481770954edf09ad82f3cd417)
    (cherry picked from commit 2d9f1837bdd6c5946cb9cd997544eefc8cc14fc4)
---
 src/src/spool_in.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index f64c52c..09fe9c5 100644
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -468,7 +468,7 @@ for (;;)
     uschar * buf;
     if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
     buf = store_get_perm(big_buffer_size *= 2, FALSE);
-    memcpy(buf, big_buffer, --len);
+    memcpy(buf, big_buffer, len);
     big_buffer = buf;
     if (Ufgets(big_buffer+len, big_buffer_size-len, fp) == NULL)
       goto SPOOL_READ_ERROR;