debian/patches/84_16-Security-Check-overrun-rcpt_count-integer.patch

   1 From 56aadff97bc4e45e6a2ce25cfb9a98a4ae4bec79 Mon Sep 17 00:00:00 2001
   2 From: Qualys Security Advisory <qsa@qualys.com>
   3 Date: Sun, 21 Feb 2021 22:05:37 -0800
   4 Subject: [PATCH 16/29] Security: Check overrun rcpt_count integer
   5
   6 Based on Heiko Schlittermann's commit e5cb5e61. This fixes:
   7
   8 4/ In src/smtp_in.c:
   9
  10 4966     case RCPT_CMD:
  11 4967       HAD(SCH_RCPT);
  12 4968       rcpt_count++;
  13 ....
  14 5123       if (rcpt_count > recipients_max && recipients_max > 0)
  15
  16 In theory this recipients_max check can be bypassed, because the int
  17 rcpt_count can overflow (become negative). In practice this would either
  18 consume too much memory or generate too much network traffic, but maybe
  19 it should be fixed anyway.
  20 ---
  21  src/smtp_in.c | 2 ++
  22  1 file changed, 2 insertions(+)
  23
  24 diff --git a/src/smtp_in.c b/src/smtp_in.c
  25 index bdcfde65f..1a5fbfea3 100644
  26 --- a/src/smtp_in.c
  27 +++ b/src/smtp_in.c
  28 @@ -4993,6 +4993,8 @@ while (done <= 0)
  29
  30      case RCPT_CMD:
  31        HAD(SCH_RCPT);
  32 +      if (rcpt_count < 0 || rcpt_count >= INT_MAX/2)
  33 +        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Too many recipients: %d", rcpt_count);
  34        rcpt_count++;
  35        was_rcpt = fl.rcpt_in_progress = TRUE;
  36
  37 --
  38 2.30.2
  39