Reject "dot, LF" as ending data phase. Bug 3063

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index c46f3b8c02f4692640cbb08584cecbdcd7800785..56b0aca9b6e3382cfbe555ad9a9cce8573556e14 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -58,6 +58,14 @@ JH/11 Bug 3046: Fix queue-runs.  Previously, the arrivel of a notification or
       the latter being missed, and no further queue scheduled runs being
       initiated.  This ouwld be more likely on high-load systems.
 
+JH/12 Enforce a data synch check before emitting the 354 "go ahead".  Previously
+      this was only done if a pre-data ACL was configured.
+
+JH/13 Refuse to accept a line "dot, LF" as end-of-DATA unless operating in
+      LF-only mode (as detected from the first header line).  Previously we did
+      accept that in (normal) CRLF mode; this has been raised as a possible
+      attack scenario (under the name "smtp smuggling").
+
 
 
 Exim version 4.97

diff --git a/src/src/receive.c b/src/src/receive.c
index e35400aeceba42655187926fd7dddee9546228a2..c6f6128327f20aaa221e83947f2c30c99492d4aa 100644 (file)
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -1960,8 +1960,10 @@ for (;;)
 
   if (ch == '\n')
     {
-    if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = FALSE;
-      else if (first_line_ended_crlf) receive_ungetc(' ');
+    if (first_line_ended_crlf == TRUE_UNSET)
+      first_line_ended_crlf = FALSE;
+    else if (first_line_ended_crlf)
+      receive_ungetc(' ');
     goto EOL;
     }
 
@@ -1970,6 +1972,7 @@ for (;;)
   This implements the dot-doubling rule, though header lines starting with
   dots aren't exactly common. They are legal in RFC 822, though. If the
   following is CRLF or LF, this is the line that that terminates the
+
   entire message. We set message_ended to indicate this has happened (to
   prevent further reading), and break out of the loop, having freed the
   empty header, and set next = NULL to indicate no data line. */
@@ -1977,7 +1980,11 @@ for (;;)
   if (f.dot_ends && ptr == 0 && ch == '.')
     {
     ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
-    if (ch == '\r')
+    if (ch == '\n' && first_line_ended_crlf == TRUE /* and not TRUE_UNSET */ )
+               /* dot, LF  but we are in CRLF mode.  Attack? */
+      ch = ' ';        /* replace the LF with a space */
+
+    else if (ch == '\r')
       {
       ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
       if (ch != '\n')
@@ -2013,7 +2020,8 @@ for (;;)
     ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
     if (ch == '\n')
       {
-      if (first_line_ended_crlf == TRUE_UNSET) first_line_ended_crlf = TRUE;
+      if (first_line_ended_crlf == TRUE_UNSET)
+       first_line_ended_crlf = TRUE;
       goto EOL;
       }
 

diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index e19c86ff87145062554df64c0d473d09f66a461b..aeaffeb37ff702b32ba49f415fdbb7c74c49821d 100644 (file)
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -5105,15 +5105,18 @@ while (done <= 0)
        }
 
       if (chunking_state > CHUNKING_OFFERED)
-       rc = OK;                        /* No predata ACL or go-ahead output for BDAT */
+       rc = OK;        /* There is no predata ACL or go-ahead output for BDAT */
       else
        {
-       /* If there is an ACL, re-check the synchronization afterwards, since the
-       ACL may have delayed.  To handle cutthrough delivery enforce a dummy call
-       to get the DATA command sent. */
+       /* If there is a predata-ACL, re-check the synchronization afterwards,
+       since the ACL may have delayed.  To handle cutthrough delivery enforce a
+       dummy call to get the DATA command sent. */
 
        if (!acl_smtp_predata && cutthrough.cctx.sock < 0)
+         {
+         if (!check_sync()) goto SYNC_FAILURE;
          rc = OK;
+         }
        else
          {
          uschar * acl = acl_smtp_predata ? acl_smtp_predata : US"accept";