Commit | Line | Data |
---|---|---|
0c0c20aa AM |
1 | From 28335a4704d8d615fd61e05ea6e435a4cd24e4df Mon Sep 17 00:00:00 2001 |
2 | From: Qualys Security Advisory <qsa@qualys.com> | |
3 | Date: Sun, 21 Feb 2021 22:13:18 -0800 | |
4 | Subject: [PATCH 18/29] Security: Fix off-by-one in smtp transport (read | |
5 | response) | |
6 | ||
7 | Based on Heiko Schlittermann's commit 1887a160. This fixes: | |
8 | ||
9 | 1/ In src/transports/smtp.c: | |
10 | ||
11 | 2281 int n = sizeof(sx->buffer); | |
12 | 2282 uschar * rsp = sx->buffer; | |
13 | 2283 | |
14 | 2284 if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2) | |
15 | 2285 { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; } | |
16 | ||
17 | This should probably be either: | |
18 | ||
19 | rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1; | |
20 | ||
21 | or: | |
22 | ||
23 | rsp = sx->buffer + n; n = sizeof(sx->buffer) - n; | |
24 | ||
25 | (not sure which) to avoid an off-by-one. | |
26 | --- | |
27 | src/transports/smtp.c | 4 ++-- | |
28 | 1 file changed, 2 insertions(+), 2 deletions(-) | |
29 | ||
30 | diff --git a/src/transports/smtp.c b/src/transports/smtp.c | |
31 | index cc37e73f3..07b63a2aa 100644 | |
32 | --- a/src/transports/smtp.c | |
33 | +++ b/src/transports/smtp.c | |
34 | @@ -2328,8 +2328,8 @@ goto SEND_QUIT; | |
35 | int n = sizeof(sx->buffer); | |
36 | uschar * rsp = sx->buffer; | |
37 | ||
38 | - if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2) | |
39 | - { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; } | |
40 | + if (sx->esmtp_sent && (n = Ustrlen(sx->buffer) + 1) < sizeof(sx->buffer)/2) | |
41 | + { rsp = sx->buffer + n; n = sizeof(sx->buffer) - n; } | |
42 | ||
43 | if (smtp_write_command(sx, SCMD_FLUSH, "HELO %s\r\n", sx->helo_data) < 0) | |
44 | goto SEND_FAILED; | |
45 | -- | |
46 | 2.30.2 | |
47 |