CVE-2020-28011: Heap buffer overflow in queue_run()

author Qualys Security Advisory <qsa@qualys.com>

Mon, 22 Feb 2021 03:22:33 +0000 (19:22 -0800)

committer Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>

Thu, 27 May 2021 19:30:46 +0000 (21:30 +0200)
author Qualys Security Advisory <qsa@qualys.com>
Mon, 22 Feb 2021 03:22:33 +0000 (19:22 -0800)
committer Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Thu, 27 May 2021 19:30:46 +0000 (21:30 +0200)
diff --git a/src/src/queue.c b/src/src/queue.c

index 4c93c1d7fc15bc9cac29f705d71e8a13db50c256..567784575de2a3d7e292cf0ef1474e29472a2f3a 100644 (file)
--- a/src/src/queue.c
+++ b/src/src/queue.c
@@ -396,12 +396,18 @@ if (!recurse)
      p += sprintf(CS p, " -q%s", extras);
  
    if (deliver_selectstring)
-    p += sprintf(CS p, " -R%s %s", f.deliver_selectstring_regex? "r" : "",
-      deliver_selectstring);
+    {
+    snprintf(CS p, big_buffer_size - (p - big_buffer), " -R%s %s",
+      f.deliver_selectstring_regex? "r" : "", deliver_selectstring);
+    p += Ustrlen(CCS p);
+    }
  
    if (deliver_selectstring_sender)
-    p += sprintf(CS p, " -S%s %s", f.deliver_selectstring_sender_regex? "r" : "",
-      deliver_selectstring_sender);
+    {
+    snprintf(CS p, big_buffer_size - (p - big_buffer), " -S%s %s",
+      f.deliver_selectstring_sender_regex? "r" : "", deliver_selectstring_sender);
+    p += Ustrlen(CCS p);
+    }
  
    log_detail = string_copy(big_buffer);
    if (*queue_name)
author	Qualys Security Advisory <qsa@qualys.com>
	Mon, 22 Feb 2021 03:22:33 +0000 (19:22 -0800)
committer	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
	Thu, 27 May 2021 19:30:46 +0000 (21:30 +0200)