SECURITY: fix SMTP verb option parsing

A boundary case in looking for an opening quote before the closing quote could
walk off the front of the buffer.

(cherry picked from commit 515d8d43a18481d23d7cf410b8dc71b4e254ebb8)
(cherry picked from commit 467948de0c407bd2bbc2e84abbbf09f35b035538)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 3d0e638d29cfa22c3181d147a6f3261aae1004a5..9837d6c0f61ac0e22322909d7d4d49d1a5520302 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -285,6 +285,9 @@ PP/09 Fix security issue with too many recipients on a message (to remove a
       or if local additions add to the recipient list).
       Fixes CVE-2020-RCPTL reported by Qualys.
 
+PP/10 Fix security issue in SMTP verb option parsing
+      Fixes CVE-2020-EXOPT reported by Qualys.
+
 
 Exim version 4.94
 -----------------

diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index d60e7d5c5eec87acf701fa8e3809056c616bcc97..4f16fd4b82f5de8e4fd1cc6fd072208882662e54 100644 (file)
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -1969,12 +1969,13 @@ extract_option(uschar **name, uschar **value)
 uschar *n;
 uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
 while (isspace(*v)) v--;
-v[1] = 0;
+v[1] = '\0';
 while (v > smtp_cmd_data && *v != '=' && !isspace(*v))
   {
   /* Take care to not stop at a space embedded in a quoted local-part */
 
-  if (*v == '"') do v--; while (*v != '"' && v > smtp_cmd_data+1);
+  if ((*v == '"') && (v > smtp_cmd_data + 1))
+    do v--; while (*v != '"' && v > smtp_cmd_data+1);
   v--;
   }