Commit | Line | Data |
---|---|---|
0c0c20aa AM |
1 | From 56aadff97bc4e45e6a2ce25cfb9a98a4ae4bec79 Mon Sep 17 00:00:00 2001 |
2 | From: Qualys Security Advisory <qsa@qualys.com> | |
3 | Date: Sun, 21 Feb 2021 22:05:37 -0800 | |
4 | Subject: [PATCH 16/29] Security: Check overrun rcpt_count integer | |
5 | ||
6 | Based on Heiko Schlittermann's commit e5cb5e61. This fixes: | |
7 | ||
8 | 4/ In src/smtp_in.c: | |
9 | ||
10 | 4966 case RCPT_CMD: | |
11 | 4967 HAD(SCH_RCPT); | |
12 | 4968 rcpt_count++; | |
13 | .... | |
14 | 5123 if (rcpt_count > recipients_max && recipients_max > 0) | |
15 | ||
16 | In theory this recipients_max check can be bypassed, because the int | |
17 | rcpt_count can overflow (become negative). In practice this would either | |
18 | consume too much memory or generate too much network traffic, but maybe | |
19 | it should be fixed anyway. | |
20 | --- | |
21 | src/smtp_in.c | 2 ++ | |
22 | 1 file changed, 2 insertions(+) | |
23 | ||
24 | diff --git a/src/smtp_in.c b/src/smtp_in.c | |
25 | index bdcfde65f..1a5fbfea3 100644 | |
26 | --- a/src/smtp_in.c | |
27 | +++ b/src/smtp_in.c | |
28 | @@ -4993,6 +4993,8 @@ while (done <= 0) | |
29 | ||
30 | case RCPT_CMD: | |
31 | HAD(SCH_RCPT); | |
32 | + if (rcpt_count < 0 || rcpt_count >= INT_MAX/2) | |
33 | + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Too many recipients: %d", rcpt_count); | |
34 | rcpt_count++; | |
35 | was_rcpt = fl.rcpt_in_progress = TRUE; | |
36 | ||
37 | -- | |
38 | 2.30.2 | |
39 |