Gitweb:
https://git.exim.org/exim.git/commitdiff/748ff65b0d648e9d4d1077190a07679dd54ab231
Commit: 748ff65b0d648e9d4d1077190a07679dd54ab231
Parent: 6649a4305126a4baa48d4c5b07568a519939fb17
Author: Heiko Schlittermann (HS12-RIPE) <hs@???>
AuthorDate: Mon Mar 29 22:16:28 2021 +0200
Committer: Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Thu May 27 21:30:45 2021 +0200
CVE-2020-28010: Heap out-of-bounds write in main()
Based on Phil Pennock's 0f57feb4. Done by Qualys, modified by me.
(cherry picked from commit b0982c2776048948ebae48574b70fa487684cb8c)
(cherry picked from commit dbc3ab675c2e5e2a07ed13dc5ede4daa018600e7)
---
src/src/exim.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/src/src/exim.c b/src/src/exim.c
index 49ba9e7..0865d64 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -3881,7 +3881,6 @@ during readconf_main() some expansion takes place already. */
/* Store the initial cwd before we change directories. Can be NULL if the
dir has already been unlinked. */
-errno = 0;
initial_cwd = os_getcwd(NULL, 0);
if (!initial_cwd && errno)
exim_fail("exim: getting initial cwd failed: %s\n", strerror(errno));
@@ -4175,11 +4174,9 @@ if ( (debug_selector & D_any || LOGGING(arguments))
p += 13;
else
{
- Ustrncpy(p + 4, initial_cwd, big_buffer_size-5);
- p += 4 + Ustrlen(initial_cwd);
- /* in case p is near the end and we don't provide enough space for
- * string_format to be willing to write. */
- *p = '\0';
+ p += 4;
+ snprintf(CS p, big_buffer_size - (p - big_buffer), "%s", CCS initial_cwd);
+ p += Ustrlen(CCS p);
}
(void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
