[hcoop/debian/exim4.git] / debian / patches / 84_18-Security-Fix-off-by-one-in-smtp-transport-read-respo.patch

From 28335a4704d8d615fd61e05ea6e435a4cd24e4df Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Sun, 21 Feb 2021 22:13:18 -0800
Subject: [PATCH 18/29] Security: Fix off-by-one in smtp transport (read
 response)

Based on Heiko Schlittermann's commit 1887a160. This fixes:

1/ In src/transports/smtp.c:

2281       int n = sizeof(sx->buffer);
2282       uschar * rsp = sx->buffer;
2283
2284       if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
2285         { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }

This should probably be either:

rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1;

or:

rsp = sx->buffer + n; n = sizeof(sx->buffer) - n;

(not sure which) to avoid an off-by-one.
---
 src/transports/smtp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/transports/smtp.c b/src/transports/smtp.c
index cc37e73f3..07b63a2aa 100644
--- a/src/transports/smtp.c
+++ b/src/transports/smtp.c
@@ -2328,8 +2328,8 @@ goto SEND_QUIT;
       int n = sizeof(sx->buffer);
       uschar * rsp = sx->buffer;
 
-      if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
-	{ rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }
+      if (sx->esmtp_sent && (n = Ustrlen(sx->buffer) + 1) < sizeof(sx->buffer)/2)
+	{ rsp = sx->buffer + n; n = sizeof(sx->buffer) - n; }
 
       if (smtp_write_command(sx, SCMD_FLUSH, "HELO %s\r\n", sx->helo_data) < 0)
 	goto SEND_FAILED;
-- 
2.30.2
Commit	Line	Data
0c0c20aa AM	1	From 28335a4704d8d615fd61e05ea6e435a4cd24e4df Mon Sep 17 00:00:00 2001
	2	From: Qualys Security Advisory <qsa@qualys.com>
	3	Date: Sun, 21 Feb 2021 22:13:18 -0800
	4	Subject: [PATCH 18/29] Security: Fix off-by-one in smtp transport (read
	5	response)
	6
	7	Based on Heiko Schlittermann's commit 1887a160. This fixes:
	8
	9	1/ In src/transports/smtp.c:
	10
	11	2281 int n = sizeof(sx->buffer);
	12	2282 uschar * rsp = sx->buffer;
	13	2283
	14	2284 if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
	15	2285 { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }
	16
	17	This should probably be either:
	18
	19	rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1;
	20
	21	or:
	22
	23	rsp = sx->buffer + n; n = sizeof(sx->buffer) - n;
	24
	25	(not sure which) to avoid an off-by-one.
	26	---
	27	src/transports/smtp.c \| 4 ++--
	28	1 file changed, 2 insertions(+), 2 deletions(-)
	29
	30	diff --git a/src/transports/smtp.c b/src/transports/smtp.c
	31	index cc37e73f3..07b63a2aa 100644
	32	--- a/src/transports/smtp.c
	33	+++ b/src/transports/smtp.c
	34	@@ -2328,8 +2328,8 @@ goto SEND_QUIT;
	35	int n = sizeof(sx->buffer);
	36	uschar * rsp = sx->buffer;
	37
	38	- if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
	39	- { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }
	40	+ if (sx->esmtp_sent && (n = Ustrlen(sx->buffer) + 1) < sizeof(sx->buffer)/2)
	41	+ { rsp = sx->buffer + n; n = sizeof(sx->buffer) - n; }
	42
	43	if (smtp_write_command(sx, SCMD_FLUSH, "HELO %s\r\n", sx->helo_data) < 0)
	44	goto SEND_FAILED;
	45	--
	46	2.30.2
	47