| 1 | From: Jeremy Harris <jgh146exb@wizmail.org> |
| 2 | Date: Fri, 24 Nov 2017 20:22:33 +0000 |
| 3 | Subject: Avoid release of store if there have been later allocations. Bug |
| 4 | 2199 |
| 5 | Origin: https://git.exim.org/exim.git/commit/4090d62a4b25782129cc1643596dc2f6e8f63bde |
| 6 | Bug: https://bugs.exim.org/show_bug.cgi?id=2199 |
| 7 | Bug-Debian: https://bugs.debian.org/882648 |
| 8 | Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16943 |
| 9 | |
| 10 | --- |
| 11 | diff --git a/src/receive.c b/src/receive.c |
| 12 | index 95cf13e1..20672dbe 100644 |
| 13 | --- a/src/receive.c |
| 14 | +++ b/src/receive.c |
| 15 | @@ -1772,8 +1772,8 @@ for (;;) |
| 16 | (and sometimes lunatic messages can have ones that are 100s of K long) we |
| 17 | call store_release() for strings that have been copied - if the string is at |
| 18 | the start of a block (and therefore the only thing in it, because we aren't |
| 19 | - doing any other gets), the block gets freed. We can only do this because we |
| 20 | - know there are no other calls to store_get() going on. */ |
| 21 | + doing any other gets), the block gets freed. We can only do this release if |
| 22 | + there were no allocations since the once that we want to free. */ |
| 23 | |
| 24 | if (ptr >= header_size - 4) |
| 25 | { |
| 26 | @@ -1782,9 +1782,10 @@ for (;;) |
| 27 | header_size *= 2; |
| 28 | if (!store_extend(next->text, oldsize, header_size)) |
| 29 | { |
| 30 | + BOOL release_ok = store_last_get[store_pool] == next->text; |
| 31 | uschar *newtext = store_get(header_size); |
| 32 | memcpy(newtext, next->text, ptr); |
| 33 | - store_release(next->text); |
| 34 | + if (release_ok) store_release(next->text); |
| 35 | next->text = newtext; |
| 36 | } |
| 37 | } |
| 38 | -- |
| 39 | 2.15.0 |
| 40 | |