[hcoop/debian/exim4.git] / debian / patches / 84_03-CVE-2020-28023-Out-of-bounds-read-in-smtp_setup_msg.patch

From 4cfadd994e5ab6e57cc43164d1e3198bb4faedbb Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Sun, 21 Feb 2021 19:11:55 -0800
Subject: [PATCH 03/29] CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()

Extracted from Jeremy Harris's commit afaf5a50.
---
 src/acl.c     | 3 ++-
 src/macros.h  | 1 +
 src/smtp_in.c | 4 ++--
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/acl.c b/src/acl.c
index f3b860e4a..49f6fe79c 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -4464,7 +4464,8 @@ switch (where)
     /* Drop cutthrough conns, and drop heldopen verify conns if
     the previous was not DATA */
     {
-    uschar prev = smtp_connection_had[smtp_ch_index-2];
+    uschar prev =
+      smtp_connection_had[SMTP_HBUFF_PREV(SMTP_HBUFF_PREV(smtp_ch_index))];
     BOOL dropverify = !(prev == SCH_DATA || prev == SCH_BDAT);
 
     cancel_cutthrough_connection(dropverify, US"quit or conndrop");
diff --git a/src/macros.h b/src/macros.h
index 0f93543ce..b3896b736 100644
--- a/src/macros.h
+++ b/src/macros.h
@@ -154,6 +154,7 @@ enough to hold all the headers from a normal kind of message. */
 /* The size of the circular buffer that remembers recent SMTP commands */
 
 #define SMTP_HBUFF_SIZE 20
+#define SMTP_HBUFF_PREV(n)	((n) ? (n)-1 : SMTP_HBUFF_SIZE-1)
 
 /* The initial size of a big buffer for use in various places. It gets put
 into big_buffer_size and in some circumstances increased. It should be at least
diff --git a/src/smtp_in.c b/src/smtp_in.c
index 86f87eae1..4265d77b7 100644
--- a/src/smtp_in.c
+++ b/src/smtp_in.c
@@ -5322,10 +5322,10 @@ while (done <= 0)
 	  }
 	if (f.smtp_in_pipelining_advertised && last_was_rcpt)
 	  smtp_printf("503 Valid RCPT command must precede %s\r\n", FALSE,
-	    smtp_names[smtp_connection_had[smtp_ch_index-1]]);
+	    smtp_names[smtp_connection_had[SMTP_HBUFF_PREV(smtp_ch_index)]]);
 	else
 	  done = synprot_error(L_smtp_protocol_error, 503, NULL,
-	    smtp_connection_had[smtp_ch_index-1] == SCH_DATA
+	    smtp_connection_had[SMTP_HBUFF_PREV(smtp_ch_index)] == SCH_DATA
 	    ? US"valid RCPT command must precede DATA"
 	    : US"valid RCPT command must precede BDAT");
 
-- 
2.30.2
Commit	Line	Data
0c0c20aa AM	1	From 4cfadd994e5ab6e57cc43164d1e3198bb4faedbb Mon Sep 17 00:00:00 2001
	2	From: Qualys Security Advisory <qsa@qualys.com>
	3	Date: Sun, 21 Feb 2021 19:11:55 -0800
	4	Subject: [PATCH 03/29] CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
	5
	6	Extracted from Jeremy Harris's commit afaf5a50.
	7	---
	8	src/acl.c \| 3 ++-
	9	src/macros.h \| 1 +
	10	src/smtp_in.c \| 4 ++--
	11	3 files changed, 5 insertions(+), 3 deletions(-)
	12
	13	diff --git a/src/acl.c b/src/acl.c
	14	index f3b860e4a..49f6fe79c 100644
	15	--- a/src/acl.c
	16	+++ b/src/acl.c
	17	@@ -4464,7 +4464,8 @@ switch (where)
	18	/* Drop cutthrough conns, and drop heldopen verify conns if
	19	the previous was not DATA */
	20	{
	21	- uschar prev = smtp_connection_had[smtp_ch_index-2];
	22	+ uschar prev =
	23	+ smtp_connection_had[SMTP_HBUFF_PREV(SMTP_HBUFF_PREV(smtp_ch_index))];
	24	BOOL dropverify = !(prev == SCH_DATA \|\| prev == SCH_BDAT);
	25
	26	cancel_cutthrough_connection(dropverify, US"quit or conndrop");
	27	diff --git a/src/macros.h b/src/macros.h
	28	index 0f93543ce..b3896b736 100644
	29	--- a/src/macros.h
	30	+++ b/src/macros.h
	31	@@ -154,6 +154,7 @@ enough to hold all the headers from a normal kind of message. */
	32	/* The size of the circular buffer that remembers recent SMTP commands */
	33
	34	#define SMTP_HBUFF_SIZE 20
	35	+#define SMTP_HBUFF_PREV(n) ((n) ? (n)-1 : SMTP_HBUFF_SIZE-1)
	36
	37	/* The initial size of a big buffer for use in various places. It gets put
	38	into big_buffer_size and in some circumstances increased. It should be at least
	39	diff --git a/src/smtp_in.c b/src/smtp_in.c
	40	index 86f87eae1..4265d77b7 100644
	41	--- a/src/smtp_in.c
	42	+++ b/src/smtp_in.c
	43	@@ -5322,10 +5322,10 @@ while (done <= 0)
	44	}
	45	if (f.smtp_in_pipelining_advertised && last_was_rcpt)
	46	smtp_printf("503 Valid RCPT command must precede %s\r\n", FALSE,
	47	- smtp_names[smtp_connection_had[smtp_ch_index-1]]);
	48	+ smtp_names[smtp_connection_had[SMTP_HBUFF_PREV(smtp_ch_index)]]);
	49	else
	50	done = synprot_error(L_smtp_protocol_error, 503, NULL,
	51	- smtp_connection_had[smtp_ch_index-1] == SCH_DATA
	52	+ smtp_connection_had[SMTP_HBUFF_PREV(smtp_ch_index)] == SCH_DATA
	53	? US"valid RCPT command must precede DATA"
	54	: US"valid RCPT command must precede BDAT");
	55
	56	--
	57	2.30.2
	58