[hcoop/debian/exim4.git] / debian / patches / 84_20-Security-Leave-a-clean-smtp_out-input-buffer-even-in.patch

From 6b647c508aced6961f00e139f0337e2c8aba9eb7 Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Sun, 21 Feb 2021 22:24:13 -0800
Subject: [PATCH 20/29] Security: Leave a clean smtp_out input buffer even in
 case of read error

Based on Heiko Schlittermann's commit 54895bc3. This fixes:

7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated
when -1 is returned. This does not seem to have bad consequences, but is
maybe not the intended behavior.
---
 src/smtp_out.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/src/smtp_out.c
+++ b/src/smtp_out.c
@@ -387,11 +387,11 @@ HDEBUG(D_transport|D_acl|D_v)
 #ifdef SUPPORT_SOCKS
 if (ob->socks_proxy)
   {
   int sock = socks_sock_connect(sc->host, sc->host_af, port, sc->interface,
 				sc->tblock, ob->connect_timeout);
-  
+
   if (sock >= 0)
     {
     if (early_data && early_data->data && early_data->len)
       if (send(sock, early_data->data, early_data->len, 0) < 0)
 	{
@@ -588,11 +588,11 @@ Arguments:
   buffer    where to put the line
   size      space available for the line
   timelimit deadline for reading the lime, seconds past epoch
 
 Returns:    length of a line that has been put in the buffer
-            -1 otherwise, with errno set
+            -1 otherwise, with errno set, and inblock->ptr adjusted
 */
 
 static int
 read_response_line(smtp_inblock *inblock, uschar *buffer, int size, time_t timelimit)
 {
@@ -629,10 +629,11 @@ for (;;)
     *p++ = c;
     if (--size < 4)
       {
       *p = 0;                     /* Leave malformed line for error message */
       errno = ERRNO_SMTPFORMAT;
+      inblock->ptr = ptr;
       return -1;
       }
     }
 
   /* Need to read a new input packet. */
@@ -654,10 +655,11 @@ for (;;)
   }
 
 /* Get here if there has been some kind of recv() error; errno is set, but we
 ensure that the result buffer is empty before returning. */
 
+inblock->ptr = inblock->ptrend = inblock->buffer;
 *buffer = 0;
 return -1;
 }
Commit	Line	Data
0c0c20aa AM	1	From 6b647c508aced6961f00e139f0337e2c8aba9eb7 Mon Sep 17 00:00:00 2001
	2	From: Qualys Security Advisory <qsa@qualys.com>
	3	Date: Sun, 21 Feb 2021 22:24:13 -0800
	4	Subject: [PATCH 20/29] Security: Leave a clean smtp_out input buffer even in
	5	case of read error
	6
	7	Based on Heiko Schlittermann's commit 54895bc3. This fixes:
	8
	9	7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated
	10	when -1 is returned. This does not seem to have bad consequences, but is
	11	maybe not the intended behavior.
	12	---
	13	src/smtp_out.c \| 6 ++++--
	14	1 file changed, 4 insertions(+), 2 deletions(-)
	15
	16	--- a/src/smtp_out.c
	17	+++ b/src/smtp_out.c
	18	@@ -387,11 +387,11 @@ HDEBUG(D_transport\|D_acl\|D_v)
	19	#ifdef SUPPORT_SOCKS
	20	if (ob->socks_proxy)
	21	{
	22	int sock = socks_sock_connect(sc->host, sc->host_af, port, sc->interface,
	23	sc->tblock, ob->connect_timeout);
	24	-
	25	+
	26	if (sock >= 0)
	27	{
	28	if (early_data && early_data->data && early_data->len)
	29	if (send(sock, early_data->data, early_data->len, 0) < 0)
	30	{
	31	@@ -588,11 +588,11 @@ Arguments:
	32	buffer where to put the line
	33	size space available for the line
	34	timelimit deadline for reading the lime, seconds past epoch
	35
	36	Returns: length of a line that has been put in the buffer
	37	- -1 otherwise, with errno set
	38	+ -1 otherwise, with errno set, and inblock->ptr adjusted
	39	*/
	40
	41	static int
	42	read_response_line(smtp_inblock inblock, uschar buffer, int size, time_t timelimit)
	43	{
	44	@@ -629,10 +629,11 @@ for (;;)
	45	*p++ = c;
	46	if (--size < 4)
	47	{
	48	p = 0; / Leave malformed line for error message */
	49	errno = ERRNO_SMTPFORMAT;
	50	+ inblock->ptr = ptr;
	51	return -1;
	52	}
	53	}
	54
	55	/* Need to read a new input packet. */
	56	@@ -654,10 +655,11 @@ for (;;)
	57	}
	58
	59	/* Get here if there has been some kind of recv() error; errno is set, but we
	60	ensure that the result buffer is empty before returning. */
	61
	62	+inblock->ptr = inblock->ptrend = inblock->buffer;
	63	*buffer = 0;
	64	return -1;
65	}
66
67