From: Heiko Schlittermann (HS12-RIPE) Date: Mon, 29 Mar 2021 20:16:28 +0000 (+0200) Subject: CVE-2020-28010: Heap out-of-bounds write in main() X-Git-Tag: exim-4.94.1~21 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/dbc3ab675c2e5e2a07ed13dc5ede4daa018600e7 CVE-2020-28010: Heap out-of-bounds write in main() Based on Phil Pennock's 0f57feb4. Done by Qualys, modified by me. (cherry picked from commit b0982c2776048948ebae48574b70fa487684cb8c) --- diff --git a/src/src/exim.c b/src/src/exim.c index f7a45ff09..975b39a58 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -3839,7 +3839,6 @@ during readconf_main() some expansion takes place already. */ /* Store the initial cwd before we change directories. Can be NULL if the dir has already been unlinked. */ -errno = 0; initial_cwd = os_getcwd(NULL, 0); if (!initial_cwd && errno) exim_fail("exim: getting initial cwd failed: %s\n", strerror(errno)); @@ -4133,11 +4132,9 @@ if ( (debug_selector & D_any || LOGGING(arguments)) p += 13; else { - Ustrncpy(p + 4, initial_cwd, big_buffer_size-5); - p += 4 + Ustrlen(initial_cwd); - /* in case p is near the end and we don't provide enough space for - * string_format to be willing to write. */ - *p = '\0'; + p += 4; + snprintf(CS p, big_buffer_size - (p - big_buffer), "%s", CCS initial_cwd); + p += Ustrlen(CCS p); } (void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);