[exim-cvs] SECURITY: Check overrun rcpt_count integer

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Exim Git Commits Mailing List
Ημερομηνία:  
Προς: exim-cvs
Αντικείμενο: [exim-cvs] SECURITY: Check overrun rcpt_count integer
Gitweb: https://git.exim.org/exim.git/commitdiff/87804cc1f325a3eb5a562b708deb0293402e1f8f
Commit:     87804cc1f325a3eb5a562b708deb0293402e1f8f
Parent:     40b8be2e25abb7569a05c839f5d0ab6176307a75
Author:     Heiko Schlittermann (HS12-RIPE) <hs@???>
AuthorDate: Wed Nov 25 22:26:53 2020 +0100
Committer:  Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Thu May 27 21:30:36 2021 +0200


    SECURITY: Check overrun rcpt_count integer


    Credits: Qualys


        4/ In src/smtp_in.c:


        4966     case RCPT_CMD:
        4967       HAD(SCH_RCPT);
        4968       rcpt_count++;
        ....
        5123       if (rcpt_count > recipients_max && recipients_max > 0)


        In theory this recipients_max check can be bypassed, because the int
        rcpt_count can overflow (become negative). In practice this would either
        consume too much memory or generate too much network traffic, but maybe
        it should be fixed anyway.


    (cherry picked from commit 04139ca809fbe56d8fe9c55a77640ea9fa93b8f1)
    (cherry picked from commit db96ca55137d7684a9afdf9d118feed9116906b7)
---
 src/src/smtp_in.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)


diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 93d5cec..b6d530f 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -5036,6 +5036,10 @@ while (done <= 0)

     case RCPT_CMD:
       HAD(SCH_RCPT);
+      /* We got really to many recipients. A check against configured
+      limits is done later */
+      if (rcpt_count < 0 || rcpt_count >= INT_MAX/2)
+        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Too many recipients: %d", rcpt_count);
       rcpt_count++;
       was_rcpt = fl.rcpt_in_progress = TRUE;


@@ -5192,7 +5196,7 @@ while (done <= 0)

       /* Check maximum allowed */


-      if (rcpt_count > recipients_max && recipients_max > 0)
+      if (rcpt_count+1 < 0 || rcpt_count > recipients_max && recipients_max > 0)
     {
     if (recipients_max_reject)
       {