Gitweb:
https://git.exim.org/exim.git/commitdiff/6552729ba7975985cbcb938cf4ecf7b54e395763
Commit: 6552729ba7975985cbcb938cf4ecf7b54e395763
Parent: da140cebadf56aeb3e2956ad4e317b0f9619a9e6
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Mar 4 22:19:08 2021 +0100
Committer: Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Thu May 27 21:30:41 2021 +0200
CVE-2020-28019: Failure to reset function pointer after BDAT error
Based on Phil Pennock's commits 4715403e and 151ffd72, and Jeremy
Harris's commits aa171254 and 9aceb5c2.
(cherry picked from commit 0a3fbb7e3be375bc93b8e359c6aff333c7c2d76f)
(cherry picked from commit 99d057fad97a2def9f000ebccda83e4008112819)
---
src/src/smtp_in.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index b6d530f..6d23397 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -794,15 +794,22 @@ else
}
receive_getc = bdat_getc;
+receive_getbuf = bdat_getbuf;
receive_ungetc = bdat_ungetc;
}
static inline void
bdat_pop_receive_functions(void)
{
+if (lwr_receive_getc == NULL)
+ {
+ DEBUG(D_receive) debug_printf("chunking double-pop receive functions\n");
+ return;
+ }
receive_getc = lwr_receive_getc;
receive_getbuf = lwr_receive_getbuf;
receive_ungetc = lwr_receive_ungetc;
+
lwr_receive_getc = NULL;
lwr_receive_getbuf = NULL;
lwr_receive_ungetc = NULL;
@@ -5341,7 +5348,7 @@ while (done <= 0)
DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
(int)chunking_state, chunking_data_left);
- f.bdat_readers_wanted = TRUE;
+ f.bdat_readers_wanted = TRUE; /* FIXME: redundant vs chunking_state? */
f.dot_ends = FALSE;
goto DATA_BDAT;
@@ -5391,6 +5398,12 @@ while (done <= 0)
sender_address = NULL; /* This will allow a new MAIL without RSET */
sender_address_unrewritten = NULL;
smtp_printf("554 Too many recipients\r\n", FALSE);
+
+ if (chunking_state > CHUNKING_OFFERED)
+ {
+ bdat_push_receive_functions();
+ bdat_flush_data();
+ }
break;
}
