From: Jeremy Harris Date: Thu, 4 Mar 2021 21:19:08 +0000 (+0100) Subject: CVE-2020-28019: Failure to reset function pointer after BDAT error X-Git-Tag: exim-4.94.1~27 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/99d057fad97a2def9f000ebccda83e4008112819 CVE-2020-28019: Failure to reset function pointer after BDAT error Based on Phil Pennock's commits 4715403e and 151ffd72, and Jeremy Harris's commits aa171254 and 9aceb5c2. (cherry picked from commit 0a3fbb7e3be375bc93b8e359c6aff333c7c2d76f) --- diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index 0b6733673..190064eed 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -794,15 +794,22 @@ else } receive_getc = bdat_getc; +receive_getbuf = bdat_getbuf; receive_ungetc = bdat_ungetc; } static inline void bdat_pop_receive_functions(void) { +if (lwr_receive_getc == NULL) + { + DEBUG(D_receive) debug_printf("chunking double-pop receive functions\n"); + return; + } receive_getc = lwr_receive_getc; receive_getbuf = lwr_receive_getbuf; receive_ungetc = lwr_receive_ungetc; + lwr_receive_getc = NULL; lwr_receive_getbuf = NULL; lwr_receive_ungetc = NULL; @@ -5319,7 +5326,7 @@ while (done <= 0) DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n", (int)chunking_state, chunking_data_left); - f.bdat_readers_wanted = TRUE; + f.bdat_readers_wanted = TRUE; /* FIXME: redundant vs chunking_state? */ f.dot_ends = FALSE; goto DATA_BDAT; @@ -5369,6 +5376,12 @@ while (done <= 0) sender_address = NULL; /* This will allow a new MAIL without RSET */ sender_address_unrewritten = NULL; smtp_printf("554 Too many recipients\r\n", FALSE); + + if (chunking_state > CHUNKING_OFFERED) + { + bdat_push_receive_functions(); + bdat_flush_data(); + } break; }