From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 4 Mar 2021 21:19:08 +0000 (+0100)
Subject: CVE-2020-28019: Failure to reset function pointer after BDAT error
X-Git-Tag: exim-4.95-RC0~51^2~27
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/6552729ba7975985cbcb938cf4ecf7b54e395763

CVE-2020-28019: Failure to reset function pointer after BDAT error

Based on Phil Pennock's commits 4715403e and 151ffd72, and Jeremy
Harris's commits aa171254 and 9aceb5c2.

(cherry picked from commit 0a3fbb7e3be375bc93b8e359c6aff333c7c2d76f)
(cherry picked from commit 99d057fad97a2def9f000ebccda83e4008112819)
---

diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index b6d530f93..6d2339770 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -794,15 +794,22 @@ else
   }
 
 receive_getc = bdat_getc;
+receive_getbuf = bdat_getbuf;
 receive_ungetc = bdat_ungetc;
 }
 
 static inline void
 bdat_pop_receive_functions(void)
 {
+if (lwr_receive_getc == NULL)
+  {
+  DEBUG(D_receive) debug_printf("chunking double-pop receive functions\n");
+  return;
+  }
 receive_getc = lwr_receive_getc;
 receive_getbuf = lwr_receive_getbuf;
 receive_ungetc = lwr_receive_ungetc;
+
 lwr_receive_getc = NULL;
 lwr_receive_getbuf = NULL;
 lwr_receive_ungetc = NULL;
@@ -5341,7 +5348,7 @@ while (done <= 0)
       DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
 				    (int)chunking_state, chunking_data_left);
 
-      f.bdat_readers_wanted = TRUE;
+      f.bdat_readers_wanted = TRUE; /* FIXME: redundant vs chunking_state? */
       f.dot_ends = FALSE;
 
       goto DATA_BDAT;
@@ -5391,6 +5398,12 @@ while (done <= 0)
 	sender_address = NULL;  /* This will allow a new MAIL without RSET */
 	sender_address_unrewritten = NULL;
 	smtp_printf("554 Too many recipients\r\n", FALSE);
+
+	if (chunking_state > CHUNKING_OFFERED)
+	  {
+	  bdat_push_receive_functions();
+	  bdat_flush_data();
+	  }
 	break;
 	}