HCoop / hcoop / debian / exim4.git / blame
| Commit | Line | Data |
|---|---|---|
| 0c0c20aa AM |
1 | From 56aadff97bc4e45e6a2ce25cfb9a98a4ae4bec79 Mon Sep 17 00:00:00 2001 |
| 2 | From: Qualys Security Advisory <qsa@qualys.com> | |
| 3 | Date: Sun, 21 Feb 2021 22:05:37 -0800 | |
| 4 | Subject: [PATCH 16/29] Security: Check overrun rcpt_count integer | |
| 5 | ||
| 6 | Based on Heiko Schlittermann's commit e5cb5e61. This fixes: | |
| 7 | ||
| 8 | 4/ In src/smtp_in.c: | |
| 9 | ||
| 10 | 4966 case RCPT_CMD: | |
| 11 | 4967 HAD(SCH_RCPT); | |
| 12 | 4968 rcpt_count++; | |
| 13 | .... | |
| 14 | 5123 if (rcpt_count > recipients_max && recipients_max > 0) | |
| 15 | ||
| 16 | In theory this recipients_max check can be bypassed, because the int | |
| 17 | rcpt_count can overflow (become negative). In practice this would either | |
| 18 | consume too much memory or generate too much network traffic, but maybe | |
| 19 | it should be fixed anyway. | |
| 20 | --- | |
| 21 | src/smtp_in.c | 2 ++ | |
| 22 | 1 file changed, 2 insertions(+) | |
| 23 | ||
| 24 | diff --git a/src/smtp_in.c b/src/smtp_in.c | |
| 25 | index bdcfde65f..1a5fbfea3 100644 | |
| 26 | --- a/src/smtp_in.c | |
| 27 | +++ b/src/smtp_in.c | |
| 28 | @@ -4993,6 +4993,8 @@ while (done <= 0) | |
| 29 | ||
| 30 | case RCPT_CMD: | |
| 31 | HAD(SCH_RCPT); | |
| 32 | + if (rcpt_count < 0 || rcpt_count >= INT_MAX/2) | |
| 33 | + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Too many recipients: %d", rcpt_count); | |
| 34 | rcpt_count++; | |
| 35 | was_rcpt = fl.rcpt_in_progress = TRUE; | |
| 36 | ||
| 37 | -- | |
| 38 | 2.30.2 | |
| 39 |