Commit | Line | Data |
---|---|---|
0c0c20aa AM |
1 | From f46455c848def70d686d7b164df75b27f8dae04d Mon Sep 17 00:00:00 2001 |
2 | From: Qualys Security Advisory <qsa@qualys.com> | |
3 | Date: Sun, 21 Feb 2021 19:53:43 -0800 | |
4 | Subject: [PATCH 09/29] CVE-2020-28022: Heap out-of-bounds read and write in | |
5 | extract_option() | |
6 | ||
7 | Based on Phil Pennock's commit c5017adf. | |
8 | --- | |
9 | src/smtp_in.c | 20 +++++++++++++------- | |
10 | 1 file changed, 13 insertions(+), 7 deletions(-) | |
11 | ||
12 | diff --git a/src/smtp_in.c b/src/smtp_in.c | |
13 | index 4265d77b7..16c3a3e33 100644 | |
14 | --- a/src/smtp_in.c | |
15 | +++ b/src/smtp_in.c | |
16 | @@ -1984,29 +1984,35 @@ static BOOL | |
17 | extract_option(uschar **name, uschar **value) | |
18 | { | |
19 | uschar *n; | |
20 | -uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1; | |
21 | -while (isspace(*v)) v--; | |
22 | +uschar *v; | |
23 | +if (Ustrlen(smtp_cmd_data) <= 0) return FALSE; | |
24 | +v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1; | |
25 | +while (v > smtp_cmd_data && isspace(*v)) v--; | |
26 | v[1] = 0; | |
27 | + | |
28 | while (v > smtp_cmd_data && *v != '=' && !isspace(*v)) | |
29 | { | |
30 | /* Take care to not stop at a space embedded in a quoted local-part */ | |
31 | - | |
32 | - if (*v == '"') do v--; while (*v != '"' && v > smtp_cmd_data+1); | |
33 | + if (*v == '"') | |
34 | + { | |
35 | + do v--; while (v > smtp_cmd_data && *v != '"'); | |
36 | + if (v <= smtp_cmd_data) return FALSE; | |
37 | + } | |
38 | v--; | |
39 | } | |
40 | +if (v <= smtp_cmd_data) return FALSE; | |
41 | ||
42 | n = v; | |
43 | if (*v == '=') | |
44 | { | |
45 | - while(isalpha(n[-1])) n--; | |
46 | + while (n > smtp_cmd_data && isalpha(n[-1])) n--; | |
47 | /* RFC says SP, but TAB seen in wild and other major MTAs accept it */ | |
48 | - if (!isspace(n[-1])) return FALSE; | |
49 | + if (n <= smtp_cmd_data || !isspace(n[-1])) return FALSE; | |
50 | n[-1] = 0; | |
51 | } | |
52 | else | |
53 | { | |
54 | n++; | |
55 | - if (v == smtp_cmd_data) return FALSE; | |
56 | } | |
57 | *v++ = 0; | |
58 | *name = n; | |
59 | -- | |
60 | 2.30.2 | |
61 |