1 From 56aadff97bc4e45e6a2ce25cfb9a98a4ae4bec79 Mon Sep 17 00:00:00 2001
2 From: Qualys Security Advisory <qsa@qualys.com>
3 Date: Sun, 21 Feb 2021 22:05:37 -0800
4 Subject: [PATCH 16/29] Security: Check overrun rcpt_count integer
6 Based on Heiko Schlittermann's commit e5cb5e61. This fixes:
14 5123 if (rcpt_count > recipients_max && recipients_max > 0)
16 In theory this recipients_max check can be bypassed, because the int
17 rcpt_count can overflow (become negative). In practice this would either
18 consume too much memory or generate too much network traffic, but maybe
19 it should be fixed anyway.
22 1 file changed, 2 insertions(+)
24 diff --git a/src/smtp_in.c b/src/smtp_in.c
25 index bdcfde65f..1a5fbfea3 100644
28 @@ -4993,6 +4993,8 @@ while (done <= 0)
32 + if (rcpt_count < 0 || rcpt_count >= INT_MAX/2)
33 + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Too many recipients: %d", rcpt_count);
35 was_rcpt = fl.rcpt_in_progress = TRUE;