Commit | Line | Data |
---|---|---|
0c0c20aa AM |
1 | From 6b647c508aced6961f00e139f0337e2c8aba9eb7 Mon Sep 17 00:00:00 2001 |
2 | From: Qualys Security Advisory <qsa@qualys.com> | |
3 | Date: Sun, 21 Feb 2021 22:24:13 -0800 | |
4 | Subject: [PATCH 20/29] Security: Leave a clean smtp_out input buffer even in | |
5 | case of read error | |
6 | ||
7 | Based on Heiko Schlittermann's commit 54895bc3. This fixes: | |
8 | ||
9 | 7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated | |
10 | when -1 is returned. This does not seem to have bad consequences, but is | |
11 | maybe not the intended behavior. | |
12 | --- | |
13 | src/smtp_out.c | 6 ++++-- | |
14 | 1 file changed, 4 insertions(+), 2 deletions(-) | |
15 | ||
16 | --- a/src/smtp_out.c | |
17 | +++ b/src/smtp_out.c | |
18 | @@ -387,11 +387,11 @@ HDEBUG(D_transport|D_acl|D_v) | |
19 | #ifdef SUPPORT_SOCKS | |
20 | if (ob->socks_proxy) | |
21 | { | |
22 | int sock = socks_sock_connect(sc->host, sc->host_af, port, sc->interface, | |
23 | sc->tblock, ob->connect_timeout); | |
24 | - | |
25 | + | |
26 | if (sock >= 0) | |
27 | { | |
28 | if (early_data && early_data->data && early_data->len) | |
29 | if (send(sock, early_data->data, early_data->len, 0) < 0) | |
30 | { | |
31 | @@ -588,11 +588,11 @@ Arguments: | |
32 | buffer where to put the line | |
33 | size space available for the line | |
34 | timelimit deadline for reading the lime, seconds past epoch | |
35 | ||
36 | Returns: length of a line that has been put in the buffer | |
37 | - -1 otherwise, with errno set | |
38 | + -1 otherwise, with errno set, and inblock->ptr adjusted | |
39 | */ | |
40 | ||
41 | static int | |
42 | read_response_line(smtp_inblock *inblock, uschar *buffer, int size, time_t timelimit) | |
43 | { | |
44 | @@ -629,10 +629,11 @@ for (;;) | |
45 | *p++ = c; | |
46 | if (--size < 4) | |
47 | { | |
48 | *p = 0; /* Leave malformed line for error message */ | |
49 | errno = ERRNO_SMTPFORMAT; | |
50 | + inblock->ptr = ptr; | |
51 | return -1; | |
52 | } | |
53 | } | |
54 | ||
55 | /* Need to read a new input packet. */ | |
56 | @@ -654,10 +655,11 @@ for (;;) | |
57 | } | |
58 | ||
59 | /* Get here if there has been some kind of recv() error; errno is set, but we | |
60 | ensure that the result buffer is empty before returning. */ | |
61 | ||
62 | +inblock->ptr = inblock->ptrend = inblock->buffer; | |
63 | *buffer = 0; | |
64 | return -1; | |
65 | } | |
66 | ||
67 |