git://git.exim.org
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
CVE-2020-28010: Heap out-of-bounds write in main()
[exim.git]
/
src
/
src
/
exim.c
diff --git
a/src/src/exim.c
b/src/src/exim.c
index 3aa006d96c1232f1a3661f5bcc388273c06b809a..975b39a5828d596f4ad6f911631143dde67ad3fd 100644
(file)
--- a/
src/src/exim.c
+++ b/
src/src/exim.c
@@
-3207,6
+3207,10
@@
on the second character (the one after '-'), to save some effort. */
-oPX: delete pid file of daemon */
case 'P':
-oPX: delete pid file of daemon */
case 'P':
+ if (!f.running_in_test_harness && real_uid != root_uid && real_uid != exim_uid)
+ exim_fail("exim: only uid=%d or uid=%d can use -oP and -oPX "
+ "(uid=%d euid=%d | %d)\n",
+ root_uid, exim_uid, getuid(), geteuid(), real_uid);
if (!*argrest) override_pid_file_path = argv[++i];
else if (Ustrcmp(argrest, "X") == 0) delete_pid_file();
else badarg = TRUE;
if (!*argrest) override_pid_file_path = argv[++i];
else if (Ustrcmp(argrest, "X") == 0) delete_pid_file();
else badarg = TRUE;
@@
-3835,7
+3839,6
@@
during readconf_main() some expansion takes place already. */
/* Store the initial cwd before we change directories. Can be NULL if the
dir has already been unlinked. */
/* Store the initial cwd before we change directories. Can be NULL if the
dir has already been unlinked. */
-errno = 0;
initial_cwd = os_getcwd(NULL, 0);
if (!initial_cwd && errno)
exim_fail("exim: getting initial cwd failed: %s\n", strerror(errno));
initial_cwd = os_getcwd(NULL, 0);
if (!initial_cwd && errno)
exim_fail("exim: getting initial cwd failed: %s\n", strerror(errno));
@@
-4129,11
+4132,9
@@
if ( (debug_selector & D_any || LOGGING(arguments))
p += 13;
else
{
p += 13;
else
{
- Ustrncpy(p + 4, initial_cwd, big_buffer_size-5);
- p += 4 + Ustrlen(initial_cwd);
- /* in case p is near the end and we don't provide enough space for
- * string_format to be willing to write. */
- *p = '\0';
+ p += 4;
+ snprintf(CS p, big_buffer_size - (p - big_buffer), "%s", CCS initial_cwd);
+ p += Ustrlen(CCS p);
}
(void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
}
(void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);