From 6d2c02560e5c0aa7cef83d02b26f193135b93e21 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 9 May 2022 14:45:53 +0100 Subject: [PATCH] Fix string_copyn() for limit greater than actual string length Broken-by: a76d120aed --- doc/doc-txt/ChangeLog | 5 +++++ src/src/functions.h | 5 ++++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 82bac62b9..d492a62b7 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -131,6 +131,11 @@ JH/29 TLS resumption: the key for session lookup in the client now includes session, avoiding oferring mismatching sessions to such a server. Previously only the server IP was used. +JH/30 Fix string_copyn() for limit greater than actual string length. + Previously the copied amount was the limit, which could result in a + overlapping memcpy for newly allocated destination soon after a + source string shorter than the limit. Found/investigated by KM. + Exim version 4.95 ----------------- diff --git a/src/src/functions.h b/src/src/functions.h index f8e0cd77e..07df8755b 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -788,7 +788,10 @@ static inline uschar * string_copyn_taint_trc(const uschar * s, unsigned len, const void * proto_mem, const char * func, int line) { -uschar * ss = store_get_3(len + 1, proto_mem, func, line); +uschar * ss; +unsigned slen = Ustrlen(s); +if (len > slen) len = slen; +ss = store_get_3(len + 1, proto_mem, func, line); memcpy(ss, s, len); ss[len] = '\0'; return ss; -- 2.30.2