SECURITY: smtp_out: Leave a clean input buffer, even in case of read error

Credits: Qualys

  7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated
  when -1 is returned. This does not seem to have bad consequences, but is
  maybe not the intended behavior.

(cherry picked from commit f7ac5a7d1e817bf60f161e7a1d40b65d66da607f)

diff --git a/src/src/smtp_out.c b/src/src/smtp_out.c
index c4c409677689f5ffaa74b55721640997fe72cc83..d6dfba52e02840197012b9cf683a2052a78d912f 100644 (file)
--- a/src/src/smtp_out.c
+++ b/src/src/smtp_out.c
@@ -425,7 +425,7 @@ if (ob->socks_proxy)
   {
   int sock = socks_sock_connect(sc->host, sc->host_af, port, sc->interface,
                                sc->tblock, ob->connect_timeout);
-  
+
   if (sock >= 0)
     {
     if (early_data && early_data->data && early_data->len)
@@ -643,7 +643,7 @@ Arguments:
   timelimit deadline for reading the lime, seconds past epoch
 
 Returns:    length of a line that has been put in the buffer
-            -1 otherwise, with errno set
+            -1 otherwise, with errno set, and inblock->ptr adjusted
 */
 
 static int
@@ -684,6 +684,7 @@ for (;;)
       {
       *p = 0;                     /* Leave malformed line for error message */
       errno = ERRNO_SMTPFORMAT;
+      inblock->ptr = ptr;
       return -1;
       }
     }