From db96ca55137d7684a9afdf9d118feed9116906b7 Mon Sep 17 00:00:00 2001 From: "Heiko Schlittermann (HS12-RIPE)" Date: Wed, 25 Nov 2020 22:26:53 +0100 Subject: [PATCH] SECURITY: Check overrun rcpt_count integer Credits: Qualys 4/ In src/smtp_in.c: 4966 case RCPT_CMD: 4967 HAD(SCH_RCPT); 4968 rcpt_count++; .... 5123 if (rcpt_count > recipients_max && recipients_max > 0) In theory this recipients_max check can be bypassed, because the int rcpt_count can overflow (become negative). In practice this would either consume too much memory or generate too much network traffic, but maybe it should be fixed anyway. (cherry picked from commit 04139ca809fbe56d8fe9c55a77640ea9fa93b8f1) --- src/src/smtp_in.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index b48870d26..0b6733673 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -5014,6 +5014,10 @@ while (done <= 0) case RCPT_CMD: HAD(SCH_RCPT); + /* We got really to many recipients. A check against configured + limits is done later */ + if (rcpt_count < 0 || rcpt_count >= INT_MAX/2) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Too many recipients: %d", rcpt_count); rcpt_count++; was_rcpt = fl.rcpt_in_progress = TRUE; @@ -5170,7 +5174,7 @@ while (done <= 0) /* Check maximum allowed */ - if (rcpt_count > recipients_max && recipients_max > 0) + if (rcpt_count+1 < 0 || rcpt_count > recipients_max && recipients_max > 0) { if (recipients_max_reject) { -- 2.30.2