HCoop / hcoop / debian / exim4.git / blame
| Commit | Line | Data |
|---|---|---|
| 0c0c20aa AM |
1 | From 5987d0dfe88ee6081b72857bc8085c7d2afd53a3 Mon Sep 17 00:00:00 2001 |
| 2 | From: Qualys Security Advisory <qsa@qualys.com> | |
| 3 | Date: Sun, 21 Feb 2021 19:17:32 -0800 | |
| 4 | Subject: [PATCH 04/29] CVE-2020-28010: Heap out-of-bounds write in main() | |
| 5 | ||
| 6 | Based on Phil Pennock's commit 0f57feb4. | |
| 7 | --- | |
| 8 | src/exim.c | 11 ++++++----- | |
| 9 | 1 file changed, 6 insertions(+), 5 deletions(-) | |
| 10 | ||
| 11 | diff --git a/src/exim.c b/src/exim.c | |
| 12 | index 83b5ef51f..a7dc48c4e 100644 | |
| 13 | --- a/src/exim.c | |
| 14 | +++ b/src/exim.c | |
| 15 | @@ -3664,6 +3664,9 @@ during readconf_main() some expansion takes place already. */ | |
| 16 | /* Store the initial cwd before we change directories. Can be NULL if the | |
| 17 | dir has already been unlinked. */ | |
| 18 | initial_cwd = os_getcwd(NULL, 0); | |
| 19 | +if (initial_cwd && strlen(CCS initial_cwd) >= BIG_BUFFER_SIZE) { | |
| 20 | + exim_fail("exim: initial cwd is far too long\n"); | |
| 21 | +} | |
| 22 | ||
| 23 | /* checking: | |
| 24 | -be[m] expansion test - | |
| 25 | @@ -3950,11 +3953,9 @@ if ( (debug_selector & D_any || LOGGING(arguments)) | |
| 26 | p += 13; | |
| 27 | else | |
| 28 | { | |
| 29 | - Ustrncpy(p + 4, initial_cwd, big_buffer_size-5); | |
| 30 | - p += 4 + Ustrlen(initial_cwd); | |
| 31 | - /* in case p is near the end and we don't provide enough space for | |
| 32 | - * string_format to be willing to write. */ | |
| 33 | - *p = '\0'; | |
| 34 | + p += 4; | |
| 35 | + snprintf(CS p, big_buffer_size - (p - big_buffer), "%s", CCS initial_cwd); | |
| 36 | + p += strlen(CCS p); | |
| 37 | } | |
| 38 | ||
| 39 | (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc); | |
| 40 | -- | |
| 41 | 2.30.2 | |
| 42 |