CVE-2020-28024: Heap buffer underflow in smtp_ungetc()

author Qualys Security Advisory <qsa@qualys.com>

Mon, 22 Feb 2021 05:49:30 +0000 (21:49 -0800)

committer Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>

Tue, 27 Apr 2021 22:40:46 +0000 (00:40 +0200)
author Qualys Security Advisory <qsa@qualys.com>
Mon, 22 Feb 2021 05:49:30 +0000 (21:49 -0800)
committer Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Tue, 27 Apr 2021 22:40:46 +0000 (00:40 +0200)
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c

index a8b92d0bed001fadfa0d8acd30987a9bdd35effd..258ec03e4d03e78890e8a5aa2cd85a5e2adf31f7 100644 (file)
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -831,6 +831,9 @@ Returns:       the character
  int
  smtp_ungetc(int ch)
  {
+if (smtp_inptr <= smtp_inbuffer)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in smtp_ungetc");
+
  *--smtp_inptr = ch;
  return ch;
  }
diff --git a/src/src/tls.c b/src/src/tls.c

index e5aabc6b4b65823b40b9664c119b14784fcd0cd6..d37a8f9ff3ca8362cc8a089c5b796338d64210bd 100644 (file)
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -157,6 +157,9 @@ Returns:       the character
  int
  tls_ungetc(int ch)
  {
+if (ssl_xfer_buffer_lwm <= 0)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in tls_ungetc");
+
  ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch;
  return ch;
  }
author	Qualys Security Advisory <qsa@qualys.com>
	Mon, 22 Feb 2021 05:49:30 +0000 (21:49 -0800)
committer	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
	Tue, 27 Apr 2021 22:40:46 +0000 (00:40 +0200)
src/src/smtp_in.c		patch \| blob \| history
src/src/tls.c		patch \| blob \| history