1 From f46455c848def70d686d7b164df75b27f8dae04d Mon Sep 17 00:00:00 2001
2 From: Qualys Security Advisory <qsa@qualys.com>
3 Date: Sun, 21 Feb 2021 19:53:43 -0800
4 Subject: [PATCH 09/29] CVE-2020-28022: Heap out-of-bounds read and write in
7 Based on Phil Pennock's commit c5017adf.
9 src/smtp_in.c | 20 +++++++++++++-------
10 1 file changed, 13 insertions(+), 7 deletions(-)
12 diff --git a/src/smtp_in.c b/src/smtp_in.c
13 index 4265d77b7..16c3a3e33 100644
16 @@ -1984,29 +1984,35 @@ static BOOL
17 extract_option(uschar **name, uschar **value)
20 -uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
21 -while (isspace(*v)) v--;
23 +if (Ustrlen(smtp_cmd_data) <= 0) return FALSE;
24 +v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
25 +while (v > smtp_cmd_data && isspace(*v)) v--;
28 while (v > smtp_cmd_data && *v != '=' && !isspace(*v))
30 /* Take care to not stop at a space embedded in a quoted local-part */
32 - if (*v == '"') do v--; while (*v != '"' && v > smtp_cmd_data+1);
35 + do v--; while (v > smtp_cmd_data && *v != '"');
36 + if (v <= smtp_cmd_data) return FALSE;
40 +if (v <= smtp_cmd_data) return FALSE;
45 - while(isalpha(n[-1])) n--;
46 + while (n > smtp_cmd_data && isalpha(n[-1])) n--;
47 /* RFC says SP, but TAB seen in wild and other major MTAs accept it */
48 - if (!isspace(n[-1])) return FALSE;
49 + if (n <= smtp_cmd_data || !isspace(n[-1])) return FALSE;
55 - if (v == smtp_cmd_data) return FALSE;