| 1 | From: "Heiko Schlittermann (HS12-RIPE)" <hs@schlittermann.de> |
| 2 | Date: Mon, 27 Nov 2017 22:42:33 +0100 |
| 3 | Subject: Chunking: do not treat the first lonely dot special. CVE-2017-16944, |
| 4 | Bug 2201 |
| 5 | Origin: https://git.exim.org/exim.git/commit/4804c62909a62a3ac12ec4777ebd48c541028965 |
| 6 | Bug: https://bugs.exim.org/show_bug.cgi?id=2201 |
| 7 | Bug-Debian: https://bugs.debian.org/882671 |
| 8 | Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16944 |
| 9 | |
| 10 | (cherry picked from commit 178ecb70987f024f0e775d87c2f8b2cf587dd542) |
| 11 | |
| 12 | Change log update |
| 13 | |
| 14 | (cherry picked from commit b488395f4d99d44a950073a64b35ec8729102782) |
| 15 | |
| 16 | --- |
| 17 | diff --git a/src/receive.c b/src/receive.c |
| 18 | index 20672dbe..2812ea2c 100644 |
| 19 | --- a/src/receive.c |
| 20 | +++ b/src/receive.c |
| 21 | @@ -1827,7 +1827,7 @@ for (;;) |
| 22 | prevent further reading), and break out of the loop, having freed the |
| 23 | empty header, and set next = NULL to indicate no data line. */ |
| 24 | |
| 25 | - if (ptr == 0 && ch == '.' && (smtp_input || dot_ends)) |
| 26 | + if (ptr == 0 && ch == '.' && dot_ends) |
| 27 | { |
| 28 | ch = (receive_getc)(GETC_BUFFER_UNLIMITED); |
| 29 | if (ch == '\r') |
| 30 | diff --git a/src/smtp_in.c b/src/smtp_in.c |
| 31 | index 1b45f84d..02075404 100644 |
| 32 | --- a/src/smtp_in.c |
| 33 | +++ b/src/smtp_in.c |
| 34 | @@ -4955,16 +4955,23 @@ while (done <= 0) |
| 35 | DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n", |
| 36 | (int)chunking_state, chunking_data_left); |
| 37 | |
| 38 | + /* push the current receive_* function on the "stack", and |
| 39 | + replace them by bdat_getc(), which in turn will use the lwr_receive_* |
| 40 | + functions to do the dirty work. */ |
| 41 | lwr_receive_getc = receive_getc; |
| 42 | lwr_receive_ungetc = receive_ungetc; |
| 43 | + |
| 44 | receive_getc = bdat_getc; |
| 45 | receive_ungetc = bdat_ungetc; |
| 46 | |
| 47 | + dot_ends = FALSE; |
| 48 | + |
| 49 | goto DATA_BDAT; |
| 50 | } |
| 51 | |
| 52 | case DATA_CMD: |
| 53 | HAD(SCH_DATA); |
| 54 | + dot_ends = TRUE; |
| 55 | |
| 56 | DATA_BDAT: /* Common code for DATA and BDAT */ |
| 57 | if (!discarded && recipients_count <= 0) |
| 58 | -- |
| 59 | 2.15.0 |
| 60 | |