git://git.exim.org / exim.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5acbba8) | patch
SECURITY: off-by-one in smtp transport (read response)
authorHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Sat, 21 Nov 2020 21:03:03 +0000 (22:03 +0100)
committerHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Thu, 27 May 2021 19:30:34 +0000 (21:30 +0200)
commitfa5f51b5b5157e55104bd10d66ccaa066090eec3
treecac0a26db2a17d290260c1fa0eb572dff2000b9atree | snapshot
parent5acbba8e07243f6c221171398d90a6c824724f45commit | diff
SECURITY: off-by-one in smtp transport (read response)

Credits: Qualys

    1/ In src/transports/smtp.c:

    2281       int n = sizeof(sx->buffer);
    2282       uschar * rsp = sx->buffer;
    2283
    2284       if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
    2285         { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }

    This should probably be either:

    rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1;

    or:

    rsp = sx->buffer + n; n = sizeof(sx->buffer) - n;

    (not sure which) to avoid an off-by-one.

(cherry picked from commit d2c44ef5dd94f1f43ba1d1a02bc4594f4fba5e38)
(cherry picked from commit 4045cb01a590ec480f45f80967cd9c59fe23a5d0)
src/src/transports/smtp.c diff | blob | history
Master Exim source repository