Chunking: do not treat the first lonely dot special. CVE-2017-16944, Bug 2201

diff --git a/src/src/receive.c b/src/src/receive.c
index 541eba138a2aebebf604cc9a2aa3bfa1fbb7caa4..417e9754f8ff9f7fcd5ab4609a3982c195d163c3 100644 (file)
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -1865,7 +1865,7 @@ for (;;)
   prevent further reading), and break out of the loop, having freed the
   empty header, and set next = NULL to indicate no data line. */
 
-  if (ptr == 0 && ch == '.' && (smtp_input || dot_ends))
+  if (ptr == 0 && ch == '.' && dot_ends)
     {
     ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
     if (ch == '\r')

diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 1fdb705a5f86cd4e5e140a3fd792aac992cc4ca9..0aabc53563333d23e862081da2df416bd31fb328 100644 (file)
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -5094,17 +5094,24 @@ while (done <= 0)
       DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
                                    (int)chunking_state, chunking_data_left);
 
+      /* push the current receive_* function on the "stack", and
+      replace them by bdat_getc(), which in turn will use the lwr_receive_*
+      functions to do the dirty work. */
       lwr_receive_getc = receive_getc;
       lwr_receive_getbuf = receive_getbuf;
       lwr_receive_ungetc = receive_ungetc;
+
       receive_getc = bdat_getc;
       receive_ungetc = bdat_ungetc;
 
+      dot_ends = FALSE;
+
       goto DATA_BDAT;
       }
 
     case DATA_CMD:
     HAD(SCH_DATA);
+    dot_ends = TRUE;
 
     DATA_BDAT:         /* Common code for DATA and BDAT */
     if (!discarded && recipients_count <= 0)