CVE-2020-28024: Heap buffer underflow in smtp_ungetc()

author Qualys Security Advisory <qsa@qualys.com>

Mon, 22 Feb 2021 05:49:30 +0000 (21:49 -0800)

committer Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>

Thu, 27 May 2021 19:30:53 +0000 (21:30 +0200)
author Qualys Security Advisory <qsa@qualys.com>
Mon, 22 Feb 2021 05:49:30 +0000 (21:49 -0800)
committer Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Thu, 27 May 2021 19:30:53 +0000 (21:30 +0200)
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c

index 9efe7baa9a9b357aa0937354c9d0b3df0a8f5145..647c231c71983dde63b2093bad5d2dbd136a4a24 100644 (file)
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -831,6 +831,9 @@ Returns:       the character
  int
  smtp_ungetc(int ch)
  {
+if (smtp_inptr <= smtp_inbuffer)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in smtp_ungetc");
+
  *--smtp_inptr = ch;
  return ch;
  }
diff --git a/src/src/tls.c b/src/src/tls.c

index ddee95de2136962cd238407a2dddcf600198434b..e073eadbeb3f47a4c12ed72ce1246324a6589888 100644 (file)
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -457,6 +457,9 @@ Returns:       the character
  int
  tls_ungetc(int ch)
  {
+if (ssl_xfer_buffer_lwm <= 0)
+  log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in tls_ungetc");
+
  ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch;
  return ch;
  }
author	Qualys Security Advisory <qsa@qualys.com>
	Mon, 22 Feb 2021 05:49:30 +0000 (21:49 -0800)
committer	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
	Thu, 27 May 2021 19:30:53 +0000 (21:30 +0200)
src/src/smtp_in.c		patch \| blob \| history
src/src/tls.c		patch \| blob \| history