1 files changed, 39 insertions, 0 deletions

diff --git a/debian/patches/84_16-Security-Check-overrun-rcpt_count-integer.patch b/debian/patches/84_16-Security-Check-overrun-rcpt_count-integer.patch
new file mode 100644
index 0000000..f8bda54
--- /dev/null
+++ b/debian/patches/84_16-Security-Check-overrun-rcpt_count-integer.patch
@@ -0,0 +1,39 @@
+From 56aadff97bc4e45e6a2ce25cfb9a98a4ae4bec79 Mon Sep 17 00:00:00 2001
+From: Qualys Security Advisory <qsa@qualys.com>
+Date: Sun, 21 Feb 2021 22:05:37 -0800
+Subject: [PATCH 16/29] Security: Check overrun rcpt_count integer
+
+Based on Heiko Schlittermann's commit e5cb5e61. This fixes:
+
+4/ In src/smtp_in.c:
+
+4966     case RCPT_CMD:
+4967       HAD(SCH_RCPT);
+4968       rcpt_count++;
+....
+5123       if (rcpt_count > recipients_max && recipients_max > 0)
+
+In theory this recipients_max check can be bypassed, because the int
+rcpt_count can overflow (become negative). In practice this would either
+consume too much memory or generate too much network traffic, but maybe
+it should be fixed anyway.
+---
+ src/smtp_in.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/smtp_in.c b/src/smtp_in.c
+index bdcfde65f..1a5fbfea3 100644
+--- a/src/smtp_in.c
++++ b/src/smtp_in.c
+@@ -4993,6 +4993,8 @@ while (done <= 0)
+ 
+     case RCPT_CMD:
+       HAD(SCH_RCPT);
++      if (rcpt_count < 0 || rcpt_count >= INT_MAX/2)
++        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Too many recipients: %d", rcpt_count);
+       rcpt_count++;
+       was_rcpt = fl.rcpt_in_progress = TRUE;
+ 
+-- 
+2.30.2
+