git://git.exim.org / exim.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3ba6086)
Fix transport buffer size handling
authorJeremy Harris <jgh146exb@wizmail.org>
Tue, 12 Feb 2019 16:52:51 +0000 (16:52 +0000)
committerHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Mon, 2 Sep 2019 22:17:09 +0000 (00:17 +0200)
Broken-by: 59932f7dcd
(cherry picked from commit 05bf16f6217e93594929c8bbbbbc852caf3ed374)
(cherry picked from commit 1cfa7822ca8928f95160df8742af11fff888ae7e)
(cherry picked from commit 0654d3440d8735221a58f96f5343fbe243171711)

doc/doc-txt/ChangeLog patch | blob | history
src/src/transport.c patch | blob | history

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 3bc992d4d7c35f7701810f62db0d1bfe67e6a00a..5728c80bdad0e34d3c20861916a5cc46147c187e 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -16,6 +16,13 @@ Exim version 4.92.1
 JH/31 Avoid re-expansion in ${sort } expansion. (CVE-2019-13917, OVE-20190718-0006)
 
 
+Since version 4.92
+------------------
+
+JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible
+      buffer overrun for (non-chunking) other transports.
+
+
 Exim version 4.92
 -----------------
 
diff --git a/src/src/transport.c b/src/src/transport.c
index 8ccdd03890121acf320f48f780e74e782254f2f2..a069b883364bc44522e6bd4f51ab5579982dcb13 100644 (file)
--- a/src/src/transport.c
+++ b/src/src/transport.c
@@ -1115,13 +1115,13 @@ DEBUG(D_transport)
 
 if (!(tctx->options & topt_no_body))
   {
-  int size = size_limit;
+  unsigned long size = size_limit > 0 ? size_limit : ULONG_MAX;
 
   nl_check_length = abs(nl_check_length);
   nl_partial_match = 0;
   if (lseek(deliver_datafile, SPOOL_DATA_START_OFFSET, SEEK_SET) < 0)
     return FALSE;
-  while (  (len = MAX(DELIVER_IN_BUFFER_SIZE, size)) > 0
+  while (  (len = MIN(DELIVER_IN_BUFFER_SIZE, size)) > 0
        && (len = read(deliver_datafile, deliver_in_buffer, len)) > 0)
     {
     if (!write_chunk(tctx, deliver_in_buffer, len))
Master Exim source repository