diff options
Diffstat (limited to 'debian/patches/84_03-CVE-2020-28023-Out-of-bounds-read-in-smtp_setup_msg.patch')
| -rw-r--r-- | debian/patches/84_03-CVE-2020-28023-Out-of-bounds-read-in-smtp_setup_msg.patch | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/debian/patches/84_03-CVE-2020-28023-Out-of-bounds-read-in-smtp_setup_msg.patch b/debian/patches/84_03-CVE-2020-28023-Out-of-bounds-read-in-smtp_setup_msg.patch new file mode 100644 index 0000000..28af9cc --- /dev/null +++ b/debian/patches/84_03-CVE-2020-28023-Out-of-bounds-read-in-smtp_setup_msg.patch @@ -0,0 +1,58 @@ +From 4cfadd994e5ab6e57cc43164d1e3198bb4faedbb Mon Sep 17 00:00:00 2001 +From: Qualys Security Advisory <qsa@qualys.com> +Date: Sun, 21 Feb 2021 19:11:55 -0800 +Subject: [PATCH 03/29] CVE-2020-28023: Out-of-bounds read in smtp_setup_msg() + +Extracted from Jeremy Harris's commit afaf5a50. +--- + src/acl.c | 3 ++- + src/macros.h | 1 + + src/smtp_in.c | 4 ++-- + 3 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/src/acl.c b/src/acl.c +index f3b860e4a..49f6fe79c 100644 +--- a/src/acl.c ++++ b/src/acl.c +@@ -4464,7 +4464,8 @@ switch (where) + /* Drop cutthrough conns, and drop heldopen verify conns if + the previous was not DATA */ + { +- uschar prev = smtp_connection_had[smtp_ch_index-2]; ++ uschar prev = ++ smtp_connection_had[SMTP_HBUFF_PREV(SMTP_HBUFF_PREV(smtp_ch_index))]; + BOOL dropverify = !(prev == SCH_DATA || prev == SCH_BDAT); + + cancel_cutthrough_connection(dropverify, US"quit or conndrop"); +diff --git a/src/macros.h b/src/macros.h +index 0f93543ce..b3896b736 100644 +--- a/src/macros.h ++++ b/src/macros.h +@@ -154,6 +154,7 @@ enough to hold all the headers from a normal kind of message. */ + /* The size of the circular buffer that remembers recent SMTP commands */ + + #define SMTP_HBUFF_SIZE 20 ++#define SMTP_HBUFF_PREV(n) ((n) ? (n)-1 : SMTP_HBUFF_SIZE-1) + + /* The initial size of a big buffer for use in various places. It gets put + into big_buffer_size and in some circumstances increased. It should be at least +diff --git a/src/smtp_in.c b/src/smtp_in.c +index 86f87eae1..4265d77b7 100644 +--- a/src/smtp_in.c ++++ b/src/smtp_in.c +@@ -5322,10 +5322,10 @@ while (done <= 0) + } + if (f.smtp_in_pipelining_advertised && last_was_rcpt) + smtp_printf("503 Valid RCPT command must precede %s\r\n", FALSE, +- smtp_names[smtp_connection_had[smtp_ch_index-1]]); ++ smtp_names[smtp_connection_had[SMTP_HBUFF_PREV(smtp_ch_index)]]); + else + done = synprot_error(L_smtp_protocol_error, 503, NULL, +- smtp_connection_had[smtp_ch_index-1] == SCH_DATA ++ smtp_connection_had[SMTP_HBUFF_PREV(smtp_ch_index)] == SCH_DATA + ? US"valid RCPT command must precede DATA" + : US"valid RCPT command must precede BDAT"); + +-- +2.30.2 + |