[hcoop/debian/exim4.git] / debian / patches / 80_Avoid-release-of-store-if-there-have-been-later-allo.patch

From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Fri, 24 Nov 2017 20:22:33 +0000
Subject: Avoid release of store if there have been later allocations.  Bug
 2199
Origin: https://git.exim.org/exim.git/commit/4090d62a4b25782129cc1643596dc2f6e8f63bde
Bug: https://bugs.exim.org/show_bug.cgi?id=2199
Bug-Debian: https://bugs.debian.org/882648
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16943

---
diff --git a/src/receive.c b/src/receive.c
index 95cf13e1..20672dbe 100644
--- a/src/receive.c
+++ b/src/receive.c
@@ -1772,8 +1772,8 @@ for (;;)
   (and sometimes lunatic messages can have ones that are 100s of K long) we
   call store_release() for strings that have been copied - if the string is at
   the start of a block (and therefore the only thing in it, because we aren't
-  doing any other gets), the block gets freed. We can only do this because we
-  know there are no other calls to store_get() going on. */
+  doing any other gets), the block gets freed. We can only do this release if
+  there were no allocations since the once that we want to free. */
 
   if (ptr >= header_size - 4)
     {
@@ -1782,9 +1782,10 @@ for (;;)
     header_size *= 2;
     if (!store_extend(next->text, oldsize, header_size))
       {
+      BOOL release_ok = store_last_get[store_pool] == next->text;
       uschar *newtext = store_get(header_size);
       memcpy(newtext, next->text, ptr);
-      store_release(next->text);
+      if (release_ok) store_release(next->text);
       next->text = newtext;
       }
     }
-- 
2.15.0
Commit	Line	Data
0baa7b9d SB	1	From: Jeremy Harris <jgh146exb@wizmail.org>
	2	Date: Fri, 24 Nov 2017 20:22:33 +0000
	3	Subject: Avoid release of store if there have been later allocations. Bug
	4	2199
	5	Origin: https://git.exim.org/exim.git/commit/4090d62a4b25782129cc1643596dc2f6e8f63bde
	6	Bug: https://bugs.exim.org/show_bug.cgi?id=2199
	7	Bug-Debian: https://bugs.debian.org/882648
	8	Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16943
	9
	10	---
	11	diff --git a/src/receive.c b/src/receive.c
	12	index 95cf13e1..20672dbe 100644
	13	--- a/src/receive.c
	14	+++ b/src/receive.c
	15	@@ -1772,8 +1772,8 @@ for (;;)
	16	(and sometimes lunatic messages can have ones that are 100s of K long) we
	17	call store_release() for strings that have been copied - if the string is at
	18	the start of a block (and therefore the only thing in it, because we aren't
	19	- doing any other gets), the block gets freed. We can only do this because we
	20	- know there are no other calls to store_get() going on. */
	21	+ doing any other gets), the block gets freed. We can only do this release if
	22	+ there were no allocations since the once that we want to free. */
	23
	24	if (ptr >= header_size - 4)
	25	{
	26	@@ -1782,9 +1782,10 @@ for (;;)
	27	header_size *= 2;
	28	if (!store_extend(next->text, oldsize, header_size))
	29	{
	30	+ BOOL release_ok = store_last_get[store_pool] == next->text;
	31	uschar *newtext = store_get(header_size);
	32	memcpy(newtext, next->text, ptr);
	33	- store_release(next->text);
	34	+ if (release_ok) store_release(next->text);
	35	next->text = newtext;
	36	}
	37	}
	38	--
	39	2.15.0
	40