SECURITY: off-by-one in smtp transport (read response)

Credits: Qualys

    1/ In src/transports/smtp.c:

    2281       int n = sizeof(sx->buffer);
    2282       uschar * rsp = sx->buffer;
    2283
    2284       if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
    2285         { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }

    This should probably be either:

    rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1;

    or:

    rsp = sx->buffer + n; n = sizeof(sx->buffer) - n;

    (not sure which) to avoid an off-by-one.

(cherry picked from commit d2c44ef5dd94f1f43ba1d1a02bc4594f4fba5e38)
(cherry picked from commit 4045cb01a590ec480f45f80967cd9c59fe23a5d0)

diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index 02a55f198ec4fb5db5c0851fb58aa786746787dc..264ebc0946a9bff05d999d1341ee81c71d003bb8 100644 (file)
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -2475,8 +2475,8 @@ goto SEND_QUIT;
       int n = sizeof(sx->buffer);
       uschar * rsp = sx->buffer;
 
-      if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
-       { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }
+      if (sx->esmtp_sent && (n = Ustrlen(sx->buffer) + 1) < sizeof(sx->buffer)/2)
+       { rsp = sx->buffer + n; n = sizeof(sx->buffer) - n; }
 
       if (smtp_write_command(sx, SCMD_FLUSH, "HELO %s\r\n", sx->helo_data) < 0)
        goto SEND_FAILED;