From: Heiko Schlittermann (HS12-RIPE) Date: Sat, 21 Nov 2020 21:03:03 +0000 (+0100) Subject: SECURITY: off-by-one in smtp transport (read response) X-Git-Tag: exim-4.95-RC0~51^2~35 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/fa5f51b5b5157e55104bd10d66ccaa066090eec3 SECURITY: off-by-one in smtp transport (read response) Credits: Qualys 1/ In src/transports/smtp.c: 2281 int n = sizeof(sx->buffer); 2282 uschar * rsp = sx->buffer; 2283 2284 if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2) 2285 { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; } This should probably be either: rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1; or: rsp = sx->buffer + n; n = sizeof(sx->buffer) - n; (not sure which) to avoid an off-by-one. (cherry picked from commit d2c44ef5dd94f1f43ba1d1a02bc4594f4fba5e38) (cherry picked from commit 4045cb01a590ec480f45f80967cd9c59fe23a5d0) --- diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 02a55f198..264ebc094 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -2475,8 +2475,8 @@ goto SEND_QUIT; int n = sizeof(sx->buffer); uschar * rsp = sx->buffer; - if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2) - { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; } + if (sx->esmtp_sent && (n = Ustrlen(sx->buffer) + 1) < sizeof(sx->buffer)/2) + { rsp = sx->buffer + n; n = sizeof(sx->buffer) - n; } if (smtp_write_command(sx, SCMD_FLUSH, "HELO %s\r\n", sx->helo_data) < 0) goto SEND_FAILED;