SECURITY: fix SMTP verb option parsing

A boundary case in looking for an opening quote before the closing quote could
walk off the front of the buffer.

(cherry picked from commit 515d8d43a18481d23d7cf410b8dc71b4e254ebb8)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 3bb5326cef9a42da7eb3ae6546c50fa4bab422fc..1c7c39e2c72256c547cb95e1dcce26217581f448 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -196,6 +196,9 @@ PP/09 Fix security issue with too many recipients on a message (to remove a
       or if local additions add to the recipient list).
       Fixes CVE-2020-RCPTL reported by Qualys.
 
+PP/10 Fix security issue in SMTP verb option parsing
+      Fixes CVE-2020-EXOPT reported by Qualys.
+
 
 Exim version 4.94
 -----------------

diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index f53c3cf654424823e97351cedd7a326db541b339..a86e977ced9b798aa140d2b589c067154ea0e2a7 100644 (file)
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -1997,12 +1997,13 @@ extract_option(uschar **name, uschar **value)
 uschar *n;
 uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
 while (isspace(*v)) v--;
-v[1] = 0;
+v[1] = '\0';
 while (v > smtp_cmd_data && *v != '=' && !isspace(*v))
   {
   /* Take care to not stop at a space embedded in a quoted local-part */
 
-  if (*v == '"') do v--; while (*v != '"' && v > smtp_cmd_data+1);
+  if ((*v == '"') && (v > smtp_cmd_data + 1))
+    do v--; while (*v != '"' && v > smtp_cmd_data+1);
   v--;
   }