[hcoop/debian/exim4.git] / debian / patches / 84_09-CVE-2020-28022-Heap-out-of-bounds-read-and-write-in-.patch

From f46455c848def70d686d7b164df75b27f8dae04d Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Sun, 21 Feb 2021 19:53:43 -0800
Subject: [PATCH 09/29] CVE-2020-28022: Heap out-of-bounds read and write in
 extract_option()

Based on Phil Pennock's commit c5017adf.
---
 src/smtp_in.c | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/src/smtp_in.c b/src/smtp_in.c
index 4265d77b7..16c3a3e33 100644
--- a/src/smtp_in.c
+++ b/src/smtp_in.c
@@ -1984,29 +1984,35 @@ static BOOL
 extract_option(uschar **name, uschar **value)
 {
 uschar *n;
-uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
-while (isspace(*v)) v--;
+uschar *v;
+if (Ustrlen(smtp_cmd_data) <= 0) return FALSE;
+v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
+while (v > smtp_cmd_data && isspace(*v)) v--;
 v[1] = 0;
+
 while (v > smtp_cmd_data && *v != '=' && !isspace(*v))
   {
   /* Take care to not stop at a space embedded in a quoted local-part */
-
-  if (*v == '"') do v--; while (*v != '"' && v > smtp_cmd_data+1);
+  if (*v == '"')
+    {
+    do v--; while (v > smtp_cmd_data && *v != '"');
+    if (v <= smtp_cmd_data) return FALSE;
+    }
   v--;
   }
+if (v <= smtp_cmd_data) return FALSE;
 
 n = v;
 if (*v == '=')
   {
-  while(isalpha(n[-1])) n--;
+  while (n > smtp_cmd_data && isalpha(n[-1])) n--;
   /* RFC says SP, but TAB seen in wild and other major MTAs accept it */
-  if (!isspace(n[-1])) return FALSE;
+  if (n <= smtp_cmd_data || !isspace(n[-1])) return FALSE;
   n[-1] = 0;
   }
 else
   {
   n++;
-  if (v == smtp_cmd_data) return FALSE;
   }
 *v++ = 0;
 *name = n;
-- 
2.30.2
Commit	Line	Data
0c0c20aa AM	1	From f46455c848def70d686d7b164df75b27f8dae04d Mon Sep 17 00:00:00 2001
	2	From: Qualys Security Advisory <qsa@qualys.com>
	3	Date: Sun, 21 Feb 2021 19:53:43 -0800
	4	Subject: [PATCH 09/29] CVE-2020-28022: Heap out-of-bounds read and write in
	5	extract_option()
	6
	7	Based on Phil Pennock's commit c5017adf.
	8	---
	9	src/smtp_in.c \| 20 +++++++++++++-------
	10	1 file changed, 13 insertions(+), 7 deletions(-)
	11
	12	diff --git a/src/smtp_in.c b/src/smtp_in.c
	13	index 4265d77b7..16c3a3e33 100644
	14	--- a/src/smtp_in.c
	15	+++ b/src/smtp_in.c
	16	@@ -1984,29 +1984,35 @@ static BOOL
	17	extract_option(uschar name, uschar value)
	18	{
	19	uschar *n;
	20	-uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
	21	-while (isspace(*v)) v--;
	22	+uschar *v;
	23	+if (Ustrlen(smtp_cmd_data) <= 0) return FALSE;
	24	+v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
	25	+while (v > smtp_cmd_data && isspace(*v)) v--;
	26	v[1] = 0;
	27	+
	28	while (v > smtp_cmd_data && v != '=' && !isspace(v))
	29	{
	30	/* Take care to not stop at a space embedded in a quoted local-part */
	31	-
	32	- if (v == '"') do v--; while (v != '"' && v > smtp_cmd_data+1);
	33	+ if (*v == '"')
	34	+ {
	35	+ do v--; while (v > smtp_cmd_data && *v != '"');
	36	+ if (v <= smtp_cmd_data) return FALSE;
	37	+ }
	38	v--;
	39	}
	40	+if (v <= smtp_cmd_data) return FALSE;
	41
	42	n = v;
	43	if (*v == '=')
	44	{
	45	- while(isalpha(n[-1])) n--;
	46	+ while (n > smtp_cmd_data && isalpha(n[-1])) n--;
	47	/* RFC says SP, but TAB seen in wild and other major MTAs accept it */
	48	- if (!isspace(n[-1])) return FALSE;
	49	+ if (n <= smtp_cmd_data \|\| !isspace(n[-1])) return FALSE;
	50	n[-1] = 0;
	51	}
	52	else
	53	{
	54	n++;
	55	- if (v == smtp_cmd_data) return FALSE;
	56	}
	57	*v++ = 0;
	58	*name = n;
	59	--
	60	2.30.2
	61