CVE-2020-28024: Heap buffer underflow in smtp_ungetc()

[exim.git] / src / src / tls.c

diff --git a/src/src/tls.c b/src/src/tls.c
index c088c7d85ff25214c21976d91d28915695b3ff76..e073eadbeb3f47a4c12ed72ce1246324a6589888 100644 (file)
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -163,6 +163,7 @@ int fd1, fd2, i, cnt = 0;
 struct stat sb;
 #ifdef OpenBSD
 struct kevent k_dummy;
+struct timespec ts = {0};
 #endif
 
 errno = 0;
@@ -215,14 +216,13 @@ for (;;)
   store_release_above(s+1);
   }
 
-if (kevent(tls_watch_fd, &kev[kev_used-cnt], cnt,
 #ifdef OpenBSD
-           &k_dummy, 1,
+if (kevent(tls_watch_fd, &kev[kev_used-cnt], cnt, &k_dummy, 1, &ts) >= 0)
+  return TRUE;
 #else
-           NULL, 0,
-#endif
-           NULL) >= 0)
+if (kevent(tls_watch_fd, &kev[kev_used-cnt], cnt, NULL, 0, NULL) >= 0)
   return TRUE;
+#endif
 s = US"kevent";
 
 bad:
@@ -457,6 +457,9 @@ Returns:       the character
 int
 tls_ungetc(int ch)
 {
+if (ssl_xfer_buffer_lwm <= 0)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in tls_ungetc");
+
 ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch;
 return ch;
 }