[hcoop/debian/exim4.git] / debian / patches / 84_13-CVE-2020-28024-Heap-buffer-underflow-in-smtp_ungetc.patch

From 7ea481a6471cdad3a674b767f808357b3c7fc721 Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Sun, 21 Feb 2021 21:49:30 -0800
Subject: [PATCH 13/29] CVE-2020-28024: Heap buffer underflow in smtp_ungetc()

---
 src/smtp_in.c | 3 +++
 src/tls.c     | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/src/smtp_in.c b/src/smtp_in.c
index 16c3a3e33..bdcfde65f 100644
--- a/src/smtp_in.c
+++ b/src/smtp_in.c
@@ -805,6 +805,9 @@ Returns:       the character
 int
 smtp_ungetc(int ch)
 {
+if (smtp_inptr <= smtp_inbuffer)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in smtp_ungetc");
+
 *--smtp_inptr = ch;
 return ch;
 }
diff --git a/src/tls.c b/src/tls.c
index f79bc3193..2a316fe59 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -151,6 +151,9 @@ Returns:       the character
 int
 tls_ungetc(int ch)
 {
+if (ssl_xfer_buffer_lwm <= 0)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in tls_ungetc");
+
 ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch;
 return ch;
 }
-- 
2.30.2
Commit	Line	Data
0c0c20aa AM	1	From 7ea481a6471cdad3a674b767f808357b3c7fc721 Mon Sep 17 00:00:00 2001
	2	From: Qualys Security Advisory <qsa@qualys.com>
	3	Date: Sun, 21 Feb 2021 21:49:30 -0800
	4	Subject: [PATCH 13/29] CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
	5
	6	---
	7	src/smtp_in.c \| 3 +++
	8	src/tls.c \| 3 +++
	9	2 files changed, 6 insertions(+)
	10
	11	diff --git a/src/smtp_in.c b/src/smtp_in.c
	12	index 16c3a3e33..bdcfde65f 100644
	13	--- a/src/smtp_in.c
	14	+++ b/src/smtp_in.c
	15	@@ -805,6 +805,9 @@ Returns: the character
	16	int
	17	smtp_ungetc(int ch)
	18	{
	19	+if (smtp_inptr <= smtp_inbuffer)
	20	+ log_write(0, LOG_MAIN\|LOG_PANIC_DIE, "buffer underflow in smtp_ungetc");
	21	+
	22	*--smtp_inptr = ch;
	23	return ch;
	24	}
	25	diff --git a/src/tls.c b/src/tls.c
	26	index f79bc3193..2a316fe59 100644
	27	--- a/src/tls.c
	28	+++ b/src/tls.c
	29	@@ -151,6 +151,9 @@ Returns: the character
	30	int
	31	tls_ungetc(int ch)
	32	{
	33	+if (ssl_xfer_buffer_lwm <= 0)
	34	+ log_write(0, LOG_MAIN\|LOG_PANIC_DIE, "buffer underflow in tls_ungetc");
	35	+
	36	ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch;
	37	return ch;
	38	}
	39	--
	40	2.30.2
	41