Commit | Line | Data |
---|---|---|
0c0c20aa AM |
1 | From 4cfadd994e5ab6e57cc43164d1e3198bb4faedbb Mon Sep 17 00:00:00 2001 |
2 | From: Qualys Security Advisory <qsa@qualys.com> | |
3 | Date: Sun, 21 Feb 2021 19:11:55 -0800 | |
4 | Subject: [PATCH 03/29] CVE-2020-28023: Out-of-bounds read in smtp_setup_msg() | |
5 | ||
6 | Extracted from Jeremy Harris's commit afaf5a50. | |
7 | --- | |
8 | src/acl.c | 3 ++- | |
9 | src/macros.h | 1 + | |
10 | src/smtp_in.c | 4 ++-- | |
11 | 3 files changed, 5 insertions(+), 3 deletions(-) | |
12 | ||
13 | diff --git a/src/acl.c b/src/acl.c | |
14 | index f3b860e4a..49f6fe79c 100644 | |
15 | --- a/src/acl.c | |
16 | +++ b/src/acl.c | |
17 | @@ -4464,7 +4464,8 @@ switch (where) | |
18 | /* Drop cutthrough conns, and drop heldopen verify conns if | |
19 | the previous was not DATA */ | |
20 | { | |
21 | - uschar prev = smtp_connection_had[smtp_ch_index-2]; | |
22 | + uschar prev = | |
23 | + smtp_connection_had[SMTP_HBUFF_PREV(SMTP_HBUFF_PREV(smtp_ch_index))]; | |
24 | BOOL dropverify = !(prev == SCH_DATA || prev == SCH_BDAT); | |
25 | ||
26 | cancel_cutthrough_connection(dropverify, US"quit or conndrop"); | |
27 | diff --git a/src/macros.h b/src/macros.h | |
28 | index 0f93543ce..b3896b736 100644 | |
29 | --- a/src/macros.h | |
30 | +++ b/src/macros.h | |
31 | @@ -154,6 +154,7 @@ enough to hold all the headers from a normal kind of message. */ | |
32 | /* The size of the circular buffer that remembers recent SMTP commands */ | |
33 | ||
34 | #define SMTP_HBUFF_SIZE 20 | |
35 | +#define SMTP_HBUFF_PREV(n) ((n) ? (n)-1 : SMTP_HBUFF_SIZE-1) | |
36 | ||
37 | /* The initial size of a big buffer for use in various places. It gets put | |
38 | into big_buffer_size and in some circumstances increased. It should be at least | |
39 | diff --git a/src/smtp_in.c b/src/smtp_in.c | |
40 | index 86f87eae1..4265d77b7 100644 | |
41 | --- a/src/smtp_in.c | |
42 | +++ b/src/smtp_in.c | |
43 | @@ -5322,10 +5322,10 @@ while (done <= 0) | |
44 | } | |
45 | if (f.smtp_in_pipelining_advertised && last_was_rcpt) | |
46 | smtp_printf("503 Valid RCPT command must precede %s\r\n", FALSE, | |
47 | - smtp_names[smtp_connection_had[smtp_ch_index-1]]); | |
48 | + smtp_names[smtp_connection_had[SMTP_HBUFF_PREV(smtp_ch_index)]]); | |
49 | else | |
50 | done = synprot_error(L_smtp_protocol_error, 503, NULL, | |
51 | - smtp_connection_had[smtp_ch_index-1] == SCH_DATA | |
52 | + smtp_connection_had[SMTP_HBUFF_PREV(smtp_ch_index)] == SCH_DATA | |
53 | ? US"valid RCPT command must precede DATA" | |
54 | : US"valid RCPT command must precede BDAT"); | |
55 | ||
56 | -- | |
57 | 2.30.2 | |
58 |