1 From 28335a4704d8d615fd61e05ea6e435a4cd24e4df Mon Sep 17 00:00:00 2001
2 From: Qualys Security Advisory <qsa@qualys.com>
3 Date: Sun, 21 Feb 2021 22:13:18 -0800
4 Subject: [PATCH 18/29] Security: Fix off-by-one in smtp transport (read
7 Based on Heiko Schlittermann's commit 1887a160. This fixes:
9 1/ In src/transports/smtp.c:
11 2281 int n = sizeof(sx->buffer);
12 2282 uschar * rsp = sx->buffer;
14 2284 if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
15 2285 { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }
17 This should probably be either:
19 rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1;
23 rsp = sx->buffer + n; n = sizeof(sx->buffer) - n;
25 (not sure which) to avoid an off-by-one.
27 src/transports/smtp.c | 4 ++--
28 1 file changed, 2 insertions(+), 2 deletions(-)
30 diff --git a/src/transports/smtp.c b/src/transports/smtp.c
31 index cc37e73f3..07b63a2aa 100644
32 --- a/src/transports/smtp.c
33 +++ b/src/transports/smtp.c
34 @@ -2328,8 +2328,8 @@ goto SEND_QUIT;
35 int n = sizeof(sx->buffer);
36 uschar * rsp = sx->buffer;
38 - if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
39 - { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }
40 + if (sx->esmtp_sent && (n = Ustrlen(sx->buffer) + 1) < sizeof(sx->buffer)/2)
41 + { rsp = sx->buffer + n; n = sizeof(sx->buffer) - n; }
43 if (smtp_write_command(sx, SCMD_FLUSH, "HELO %s\r\n", sx->helo_data) < 0)