CVE-2020-28026: Line truncation and injection in spool_read_header()
authorHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Tue, 30 Mar 2021 20:03:49 +0000 (22:03 +0200)
committerHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Thu, 27 May 2021 19:30:50 +0000 (21:30 +0200)
commitc82e60b402bd17620e57a0774d27b39d7ea6eb09
tree37aa66f23b18c940c462e7fbdc0c70cac0781e0d
parentd17c916db7c661aacf65684a5568f8e105e50b3b
CVE-2020-28026: Line truncation and injection in spool_read_header()

This also fixes:

2/ In src/spool_in.c:

 462   while (  (len = Ustrlen(big_buffer)) == big_buffer_size-1
 463         && big_buffer[len-1] != '\n'
 464         )
 465     {   /* buffer not big enough for line; certs make this possible */
 466     uschar * buf;
 467     if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
 468     buf = store_get_perm(big_buffer_size *= 2, FALSE);
 469     memcpy(buf, big_buffer, --len);

The --len in memcpy() chops off a useful byte (we know for sure that
big_buffer[len-1] is not a '\n' because we entered the while loop).

Based on a patch done by Qualys.

(cherry picked from commit f0c307458e1ee81abbe7ed2d4a8d16b5cbd8a799)
(cherry picked from commit 4daba4bec729a57fb0863af786a1395e70794c76)
src/src/spool_in.c