debian/patches/84_20-Security-Leave-a-clean-smtp_out-input-buffer-even-in.patch

   1 From 6b647c508aced6961f00e139f0337e2c8aba9eb7 Mon Sep 17 00:00:00 2001
   2 From: Qualys Security Advisory <qsa@qualys.com>
   3 Date: Sun, 21 Feb 2021 22:24:13 -0800
   4 Subject: [PATCH 20/29] Security: Leave a clean smtp_out input buffer even in
   5  case of read error
   6
   7 Based on Heiko Schlittermann's commit 54895bc3. This fixes:
   8
   9 7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated
  10 when -1 is returned. This does not seem to have bad consequences, but is
  11 maybe not the intended behavior.
  12 ---
  13  src/smtp_out.c | 6 ++++--
  14  1 file changed, 4 insertions(+), 2 deletions(-)
  15
  16 --- a/src/smtp_out.c
  17 +++ b/src/smtp_out.c
  18 @@ -387,11 +387,11 @@ HDEBUG(D_transport|D_acl|D_v)
  19  #ifdef SUPPORT_SOCKS
  20  if (ob->socks_proxy)
  21    {
  22    int sock = socks_sock_connect(sc->host, sc->host_af, port, sc->interface,
  23                                 sc->tblock, ob->connect_timeout);
  24 -
  25 +
  26    if (sock >= 0)
  27      {
  28      if (early_data && early_data->data && early_data->len)
  29        if (send(sock, early_data->data, early_data->len, 0) < 0)
  30         {
  31 @@ -588,11 +588,11 @@ Arguments:
  32    buffer    where to put the line
  33    size      space available for the line
  34    timelimit deadline for reading the lime, seconds past epoch
  35
  36  Returns:    length of a line that has been put in the buffer
  37 -            -1 otherwise, with errno set
  38 +            -1 otherwise, with errno set, and inblock->ptr adjusted
  39  */
  40
  41  static int
  42  read_response_line(smtp_inblock *inblock, uschar *buffer, int size, time_t timelimit)
  43  {
  44 @@ -629,10 +629,11 @@ for (;;)
  45      *p++ = c;
  46      if (--size < 4)
  47        {
  48        *p = 0;                     /* Leave malformed line for error message */
  49        errno = ERRNO_SMTPFORMAT;
  50 +      inblock->ptr = ptr;
  51        return -1;
  52        }
  53      }
  54
  55    /* Need to read a new input packet. */
  56 @@ -654,10 +655,11 @@ for (;;)
  57    }
  58
  59  /* Get here if there has been some kind of recv() error; errno is set, but we
  60  ensure that the result buffer is empty before returning. */
  61
  62 +inblock->ptr = inblock->ptrend = inblock->buffer;
  63  *buffer = 0;
  64  return -1;
  65  }
  66
  67