SECURITY: off-by-one in smtp transport (read response)
authorHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Sat, 21 Nov 2020 21:03:03 +0000 (22:03 +0100)
committerHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Tue, 27 Apr 2021 22:40:28 +0000 (00:40 +0200)
commit4045cb01a590ec480f45f80967cd9c59fe23a5d0
tree5ee1d1172de3e9f6e0000b9470c12a5905a41d92
parent125f0d4afbc858cf514c29326a3016c2d9d7bdc1
SECURITY: off-by-one in smtp transport (read response)

Credits: Qualys

    1/ In src/transports/smtp.c:

    2281       int n = sizeof(sx->buffer);
    2282       uschar * rsp = sx->buffer;
    2283
    2284       if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
    2285         { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }

    This should probably be either:

    rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1;

    or:

    rsp = sx->buffer + n; n = sizeof(sx->buffer) - n;

    (not sure which) to avoid an off-by-one.

(cherry picked from commit d2c44ef5dd94f1f43ba1d1a02bc4594f4fba5e38)
src/src/transports/smtp.c