Taint: fix off-by-one in is_tainted(). Bug 2634

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index eb64e0abf3dd850290d48f151e50876d17309bc4..9048e3f0e7e12b67bbf45904ca0372eadc8a665f 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -111,6 +111,11 @@ JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd connections, to be
 JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI
       in quotes.
 
+JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for
+      is_tainted() had an off-by-one error in the overenthusiastic direction.
+      Find and fix by Gavan.  Although NetBSD is not a supported platform for
+      4.94 this bug could affect other platforms.
+
 
 Exim version 4.94
 -----------------

diff --git a/src/src/store.c b/src/src/store.c
index 47d6f9106cc1acc9a85cc5760234a69e2bc7ef6e..df7078fea24a7c4f9055d37b9b197dc35890e4d4 100644 (file)
--- a/src/src/store.c
+++ b/src/src/store.c
@@ -188,14 +188,14 @@ for (int pool = POOL_TAINT_BASE; pool < nelem(chainbase); pool++)
   if ((b = current_block[pool]))
     {
     uschar * bc = US b + ALIGNED_SIZEOF_STOREBLOCK;
-    if (US p >= bc && US p <= bc + b->length) return TRUE;
+    if (US p >= bc && US p < bc + b->length) return TRUE;
     }
 
 for (int pool = POOL_TAINT_BASE; pool < nelem(chainbase); pool++)
   for (b = chainbase[pool]; b; b = b->next)
     {
     uschar * bc = US b + ALIGNED_SIZEOF_STOREBLOCK;
-    if (US p >= bc && US p <= bc + b->length) return TRUE;
+    if (US p >= bc && US p < bc + b->length) return TRUE;
     }
 return FALSE;
 }