Commit | Line | Data |
---|---|---|
0baa7b9d SB |
1 | From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> |
2 | Date: Mon, 27 Nov 2017 22:42:33 +0100 | |
3 | Subject: Chunking: do not treat the first lonely dot special. CVE-2017-16944, | |
4 | Bug 2201 | |
5 | Origin: https://git.exim.org/exim.git/commit/4804c62909a62a3ac12ec4777ebd48c541028965 | |
6 | Bug: https://bugs.exim.org/show_bug.cgi?id=2201 | |
7 | Bug-Debian: https://bugs.debian.org/882671 | |
8 | Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16944 | |
9 | ||
10 | (cherry picked from commit 178ecb70987f024f0e775d87c2f8b2cf587dd542) | |
11 | ||
12 | Change log update | |
13 | ||
14 | (cherry picked from commit b488395f4d99d44a950073a64b35ec8729102782) | |
15 | ||
16 | --- | |
17 | diff --git a/src/receive.c b/src/receive.c | |
18 | index 20672dbe..2812ea2c 100644 | |
19 | --- a/src/receive.c | |
20 | +++ b/src/receive.c | |
21 | @@ -1827,7 +1827,7 @@ for (;;) | |
22 | prevent further reading), and break out of the loop, having freed the | |
23 | empty header, and set next = NULL to indicate no data line. */ | |
24 | ||
25 | - if (ptr == 0 && ch == '.' && (smtp_input || dot_ends)) | |
26 | + if (ptr == 0 && ch == '.' && dot_ends) | |
27 | { | |
28 | ch = (receive_getc)(GETC_BUFFER_UNLIMITED); | |
29 | if (ch == '\r') | |
30 | diff --git a/src/smtp_in.c b/src/smtp_in.c | |
31 | index 1b45f84d..02075404 100644 | |
32 | --- a/src/smtp_in.c | |
33 | +++ b/src/smtp_in.c | |
34 | @@ -4955,16 +4955,23 @@ while (done <= 0) | |
35 | DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n", | |
36 | (int)chunking_state, chunking_data_left); | |
37 | ||
38 | + /* push the current receive_* function on the "stack", and | |
39 | + replace them by bdat_getc(), which in turn will use the lwr_receive_* | |
40 | + functions to do the dirty work. */ | |
41 | lwr_receive_getc = receive_getc; | |
42 | lwr_receive_ungetc = receive_ungetc; | |
43 | + | |
44 | receive_getc = bdat_getc; | |
45 | receive_ungetc = bdat_ungetc; | |
46 | ||
47 | + dot_ends = FALSE; | |
48 | + | |
49 | goto DATA_BDAT; | |
50 | } | |
51 | ||
52 | case DATA_CMD: | |
53 | HAD(SCH_DATA); | |
54 | + dot_ends = TRUE; | |
55 | ||
56 | DATA_BDAT: /* Common code for DATA and BDAT */ | |
57 | if (!discarded && recipients_count <= 0) | |
58 | -- | |
59 | 2.15.0 | |
60 |