3 > We will review the remaining commits tomorrow.
5 ========================================================================
6 commit c5017adfb3d157cbaf12e91d693ea8c5ebc5b9fb
8 SECURITY: fix SMTP verb option parsing
10 This fixes the vulnerability that we reported. This function is still
11 very fragile; if you wish to harden it further, the following lines must
12 make sure that they do not access or move a pointer out-of-bounds (i.e.,
15 uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
17 while (isspace(*v)) v--;
19 while(isalpha(n[-1])) n--;
21 Right now we are unable to exploit these because 1/ smtp_read_command()
22 strips spaces from smtp_cmd_data and 2/ we are unable to store an alpha
23 or a space at smtp_cmd_data[-1] (the last character of smtp_cmd_buffer).
25 For example, these two lines can read out-of-bounds (at
26 smtp_cmd_data[-1]) despite the fixes:
28 while(isalpha(n[-1])) n--;
30 if (!isspace(n[-1])) return FALSE;
32 The 2/ is pure luck, because smtp_cmd_data[-1] is the last character of
33 smtp_cmd_buffer, which is allocated with store_get_perm(), which is not
34 initialized: smtp_cmd_data[-1] could be anything, but we failed to store
35 an alpha or a space there (this does not mean it is impossible). So this
36 should probably be fixed at some point.
38 ========================================================================
39 commit 4715403ea66aedcf1e0dde61ae483bf3ac3a071f
41 SECURITY: rework BDAT receive function handling
43 This clearly simplifies the BDAT state/stack. Maybe add a
44 lwr_receive_getc == NULL check in bdat_pop_receive_functions() (and
45 LOG_PANIC_DIE if it is NULL) to avoid a NULL pointer dereference later
46 (in case BDAT gets confused somehow)?
48 ========================================================================
50 Thank you very much! We are at your disposal for questions, comments,
51 and further discussions.
56 the Qualys Security Advisory team