CVE-2020-28010: Heap out-of-bounds write in main()

author Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>

Mon, 29 Mar 2021 20:16:28 +0000 (22:16 +0200)

committer Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>

Tue, 27 Apr 2021 22:40:39 +0000 (00:40 +0200)
author Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Mon, 29 Mar 2021 20:16:28 +0000 (22:16 +0200)
committer Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Tue, 27 Apr 2021 22:40:39 +0000 (00:40 +0200)
diff --git a/src/src/exim.c b/src/src/exim.c

index f7a45ff09d47064ebd5699ff1870d7cda7283e59..975b39a5828d596f4ad6f911631143dde67ad3fd 100644 (file)
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -3839,7 +3839,6 @@ during readconf_main() some expansion takes place already. */
  
  /* Store the initial cwd before we change directories.  Can be NULL if the
  dir has already been unlinked. */
-errno = 0;
  initial_cwd = os_getcwd(NULL, 0);
  if (!initial_cwd && errno)
    exim_fail("exim: getting initial cwd failed: %s\n", strerror(errno));
@@ -4133,11 +4132,9 @@ if (  (debug_selector & D_any  ||  LOGGING(arguments))
      p += 13;
    else
      {
-    Ustrncpy(p + 4, initial_cwd, big_buffer_size-5);
-    p += 4 + Ustrlen(initial_cwd);
-    /* in case p is near the end and we don't provide enough space for
-     * string_format to be willing to write. */
-    *p = '\0';
+    p += 4;
+    snprintf(CS p, big_buffer_size - (p - big_buffer), "%s", CCS initial_cwd);
+    p += Ustrlen(CCS p);
      }
  
    (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
author	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
	Mon, 29 Mar 2021 20:16:28 +0000 (22:16 +0200)
committer	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
	Tue, 27 Apr 2021 22:40:39 +0000 (00:40 +0200)