1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
From 5987d0dfe88ee6081b72857bc8085c7d2afd53a3 Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Sun, 21 Feb 2021 19:17:32 -0800
Subject: [PATCH 04/29] CVE-2020-28010: Heap out-of-bounds write in main()
Based on Phil Pennock's commit 0f57feb4.
---
src/exim.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/src/exim.c b/src/exim.c
index 83b5ef51f..a7dc48c4e 100644
--- a/src/exim.c
+++ b/src/exim.c
@@ -3664,6 +3664,9 @@ during readconf_main() some expansion takes place already. */
/* Store the initial cwd before we change directories. Can be NULL if the
dir has already been unlinked. */
initial_cwd = os_getcwd(NULL, 0);
+if (initial_cwd && strlen(CCS initial_cwd) >= BIG_BUFFER_SIZE) {
+ exim_fail("exim: initial cwd is far too long\n");
+}
/* checking:
-be[m] expansion test -
@@ -3950,11 +3953,9 @@ if ( (debug_selector & D_any || LOGGING(arguments))
p += 13;
else
{
- Ustrncpy(p + 4, initial_cwd, big_buffer_size-5);
- p += 4 + Ustrlen(initial_cwd);
- /* in case p is near the end and we don't provide enough space for
- * string_format to be willing to write. */
- *p = '\0';
+ p += 4;
+ snprintf(CS p, big_buffer_size - (p - big_buffer), "%s", CCS initial_cwd);
+ p += strlen(CCS p);
}
(void)string_format(p, big_buffer_size - (p - big_buffer), " %d args:", argc);
--
2.30.2
|
