debian/patches/84_09-CVE-2020-28022-Heap-out-of-bounds-read-and-write-in-.patch

   1 From f46455c848def70d686d7b164df75b27f8dae04d Mon Sep 17 00:00:00 2001
   2 From: Qualys Security Advisory <qsa@qualys.com>
   3 Date: Sun, 21 Feb 2021 19:53:43 -0800
   4 Subject: [PATCH 09/29] CVE-2020-28022: Heap out-of-bounds read and write in
   5  extract_option()
   6
   7 Based on Phil Pennock's commit c5017adf.
   8 ---
   9  src/smtp_in.c | 20 +++++++++++++-------
  10  1 file changed, 13 insertions(+), 7 deletions(-)
  11
  12 diff --git a/src/smtp_in.c b/src/smtp_in.c
  13 index 4265d77b7..16c3a3e33 100644
  14 --- a/src/smtp_in.c
  15 +++ b/src/smtp_in.c
  16 @@ -1984,29 +1984,35 @@ static BOOL
  17  extract_option(uschar **name, uschar **value)
  18  {
  19  uschar *n;
  20 -uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
  21 -while (isspace(*v)) v--;
  22 +uschar *v;
  23 +if (Ustrlen(smtp_cmd_data) <= 0) return FALSE;
  24 +v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
  25 +while (v > smtp_cmd_data && isspace(*v)) v--;
  26  v[1] = 0;
  27 +
  28  while (v > smtp_cmd_data && *v != '=' && !isspace(*v))
  29    {
  30    /* Take care to not stop at a space embedded in a quoted local-part */
  31 -
  32 -  if (*v == '"') do v--; while (*v != '"' && v > smtp_cmd_data+1);
  33 +  if (*v == '"')
  34 +    {
  35 +    do v--; while (v > smtp_cmd_data && *v != '"');
  36 +    if (v <= smtp_cmd_data) return FALSE;
  37 +    }
  38    v--;
  39    }
  40 +if (v <= smtp_cmd_data) return FALSE;
  41
  42  n = v;
  43  if (*v == '=')
  44    {
  45 -  while(isalpha(n[-1])) n--;
  46 +  while (n > smtp_cmd_data && isalpha(n[-1])) n--;
  47    /* RFC says SP, but TAB seen in wild and other major MTAs accept it */
  48 -  if (!isspace(n[-1])) return FALSE;
  49 +  if (n <= smtp_cmd_data || !isspace(n[-1])) return FALSE;
  50    n[-1] = 0;
  51    }
  52  else
  53    {
  54    n++;
  55 -  if (v == smtp_cmd_data) return FALSE;
  56    }
  57  *v++ = 0;
  58  *name = n;
  59 --
  60 2.30.2
  61