Commit | Line | Data |
---|---|---|
d1e9e98a AM |
1 | From 2600301ba6dbac5c9d640c87007a07ee6dcea1f4 Mon Sep 17 00:00:00 2001 |
2 | From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> | |
3 | Date: Mon, 19 Aug 2019 14:45:48 +0200 | |
4 | Subject: [PATCH] string.c: do not interpret '\\' before '\0' (CVE-2019-15846) | |
5 | ||
6 | ||
7 | --- a/doc/ChangeLog | |
8 | +++ b/doc/ChangeLog | |
9 | @@ -4,6 +4,11 @@ This document describes *changes* to pre | |
10 | affect Exim's operation, with an unchanged configuration file. For new | |
11 | options, and new features, see the NewStuff file next to this ChangeLog. | |
12 | ||
13 | +Exim version 4.92.2 | |
14 | +------------------- | |
15 | + | |
16 | +HS/01 Handle trailing backslash gracefully. (CVE-2019-15846) | |
17 | + | |
18 | ||
01e60269 AM |
19 | Since version 4.92 |
20 | ------------------ | |
d1e9e98a AM |
21 | --- a/src/string.c |
22 | +++ b/src/string.c | |
01e60269 | 23 | @@ -224,6 +224,8 @@ interpreted in strings. |
d1e9e98a AM |
24 | Arguments: |
25 | pp points a pointer to the initiating "\" in the string; | |
26 | the pointer gets updated to point to the final character | |
27 | + If the backslash is the last character in the string, it | |
28 | + is not interpreted. | |
29 | Returns: the value of the character escape | |
30 | */ | |
31 | ||
01e60269 | 32 | @@ -236,6 +238,7 @@ const uschar *hex_digits= CUS"0123456789 |
d1e9e98a AM |
33 | int ch; |
34 | const uschar *p = *pp; | |
35 | ch = *(++p); | |
36 | +if (ch == '\0') return **pp; | |
37 | if (isdigit(ch) && ch != '8' && ch != '9') | |
38 | { | |
39 | ch -= '0'; | |
01e60269 AM |
40 | @@ -1210,8 +1213,8 @@ memcpy(g->s + p, s, count); |
41 | g->ptr = p + count; | |
42 | return g; | |
43 | } | |
44 | - | |
45 | - | |
46 | + | |
47 | + | |
48 | gstring * | |
49 | string_cat(gstring *string, const uschar *s) | |
50 | { |