Commit | Line | Data |
---|---|---|
d1e9e98a AM |
1 | From 2600301ba6dbac5c9d640c87007a07ee6dcea1f4 Mon Sep 17 00:00:00 2001 |
2 | From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> | |
3 | Date: Mon, 19 Aug 2019 14:45:48 +0200 | |
4 | Subject: [PATCH] string.c: do not interpret '\\' before '\0' (CVE-2019-15846) | |
5 | ||
6 | ||
7 | --- a/doc/ChangeLog | |
8 | +++ b/doc/ChangeLog | |
9 | @@ -4,6 +4,11 @@ This document describes *changes* to pre | |
10 | affect Exim's operation, with an unchanged configuration file. For new | |
11 | options, and new features, see the NewStuff file next to this ChangeLog. | |
12 | ||
13 | +Exim version 4.92.2 | |
14 | +------------------- | |
15 | + | |
16 | +HS/01 Handle trailing backslash gracefully. (CVE-2019-15846) | |
17 | + | |
18 | ||
19 | Exim version 4.89 | |
20 | ----------------- | |
21 | --- a/src/string.c | |
22 | +++ b/src/string.c | |
23 | @@ -220,6 +220,8 @@ interpreted in strings. | |
24 | Arguments: | |
25 | pp points a pointer to the initiating "\" in the string; | |
26 | the pointer gets updated to point to the final character | |
27 | + If the backslash is the last character in the string, it | |
28 | + is not interpreted. | |
29 | Returns: the value of the character escape | |
30 | */ | |
31 | ||
32 | @@ -232,6 +234,7 @@ const uschar *hex_digits= CUS"0123456789 | |
33 | int ch; | |
34 | const uschar *p = *pp; | |
35 | ch = *(++p); | |
36 | +if (ch == '\0') return **pp; | |
37 | if (isdigit(ch) && ch != '8' && ch != '9') | |
38 | { | |
39 | ch -= '0'; |