SECURITY: smtp_out: Leave a clean input buffer, even in case of read error

Credits: Qualys

  7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated
  when -1 is returned. This does not seem to have bad consequences, but is
  maybe not the intended behavior.

(cherry picked from commit f7ac5a7d1e817bf60f161e7a1d40b65d66da607f)
(cherry picked from commit 13f9998ebb937970d1d9d18f205a6e03e14105b4)

diff --git a/src/src/smtp_out.c b/src/src/smtp_out.c
index 2a4497488bc1468c483a16cf8f3b712e94d71203..eae74da00fedb3a1e6811103821c4d9e94d7052f 100644 (file)
--- a/src/src/smtp_out.c
+++ b/src/src/smtp_out.c
@@ -472,7 +472,7 @@ if (ob->socks_proxy)
   {
   int sock = socks_sock_connect(sc->host, sc->host_af, port, sc->interface,
                                sc->tblock, ob->connect_timeout);
   {
   int sock = socks_sock_connect(sc->host, sc->host_af, port, sc->interface,
                                sc->tblock, ob->connect_timeout);

-  
+

   if (sock >= 0)
     {
     if (early_data && early_data->data && early_data->len)
   if (sock >= 0)
     {
     if (early_data && early_data->data && early_data->len)


@@ -692,7 +692,7 @@ Arguments:
   timelimit deadline for reading the lime, seconds past epoch
 
 Returns:    length of a line that has been put in the buffer
   timelimit deadline for reading the lime, seconds past epoch
 
 Returns:    length of a line that has been put in the buffer

-            -1 otherwise, with errno set
+            -1 otherwise, with errno set, and inblock->ptr adjusted

 */
 
 static int
 */
 
 static int


@@ -733,6 +733,7 @@ for (;;)
       {
       *p = 0;                     /* Leave malformed line for error message */
       errno = ERRNO_SMTPFORMAT;
       {
       *p = 0;                     /* Leave malformed line for error message */
       errno = ERRNO_SMTPFORMAT;

+      inblock->ptr = ptr;

       return -1;
       }
     }
       return -1;
       }
     }