From: Heiko Schlittermann (HS12-RIPE) Date: Wed, 2 Dec 2020 21:28:02 +0000 (+0100) Subject: SECURITY: smtp_out: Leave a clean input buffer, even in case of read error X-Git-Tag: exim-4.95-RC0~51^2~28 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/da140cebadf56aeb3e2956ad4e317b0f9619a9e6?ds=sidebyside SECURITY: smtp_out: Leave a clean input buffer, even in case of read error Credits: Qualys 7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated when -1 is returned. This does not seem to have bad consequences, but is maybe not the intended behavior. (cherry picked from commit f7ac5a7d1e817bf60f161e7a1d40b65d66da607f) (cherry picked from commit 13f9998ebb937970d1d9d18f205a6e03e14105b4) --- diff --git a/src/src/smtp_out.c b/src/src/smtp_out.c index 2a4497488..eae74da00 100644 --- a/src/src/smtp_out.c +++ b/src/src/smtp_out.c @@ -472,7 +472,7 @@ if (ob->socks_proxy) { int sock = socks_sock_connect(sc->host, sc->host_af, port, sc->interface, sc->tblock, ob->connect_timeout); - + if (sock >= 0) { if (early_data && early_data->data && early_data->len) @@ -692,7 +692,7 @@ Arguments: timelimit deadline for reading the lime, seconds past epoch Returns: length of a line that has been put in the buffer - -1 otherwise, with errno set + -1 otherwise, with errno set, and inblock->ptr adjusted */ static int @@ -733,6 +733,7 @@ for (;;) { *p = 0; /* Leave malformed line for error message */ errno = ERRNO_SMTPFORMAT; + inblock->ptr = ptr; return -1; } }