diff options
Diffstat (limited to 'debian/patches/84_09-CVE-2020-28022-Heap-out-of-bounds-read-and-write-in-.patch')
| -rw-r--r-- | debian/patches/84_09-CVE-2020-28022-Heap-out-of-bounds-read-and-write-in-.patch | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/debian/patches/84_09-CVE-2020-28022-Heap-out-of-bounds-read-and-write-in-.patch b/debian/patches/84_09-CVE-2020-28022-Heap-out-of-bounds-read-and-write-in-.patch new file mode 100644 index 0000000..1ace416 --- /dev/null +++ b/debian/patches/84_09-CVE-2020-28022-Heap-out-of-bounds-read-and-write-in-.patch @@ -0,0 +1,61 @@ +From f46455c848def70d686d7b164df75b27f8dae04d Mon Sep 17 00:00:00 2001 +From: Qualys Security Advisory <qsa@qualys.com> +Date: Sun, 21 Feb 2021 19:53:43 -0800 +Subject: [PATCH 09/29] CVE-2020-28022: Heap out-of-bounds read and write in + extract_option() + +Based on Phil Pennock's commit c5017adf. +--- + src/smtp_in.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/src/smtp_in.c b/src/smtp_in.c +index 4265d77b7..16c3a3e33 100644 +--- a/src/smtp_in.c ++++ b/src/smtp_in.c +@@ -1984,29 +1984,35 @@ static BOOL + extract_option(uschar **name, uschar **value) + { + uschar *n; +-uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1; +-while (isspace(*v)) v--; ++uschar *v; ++if (Ustrlen(smtp_cmd_data) <= 0) return FALSE; ++v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1; ++while (v > smtp_cmd_data && isspace(*v)) v--; + v[1] = 0; ++ + while (v > smtp_cmd_data && *v != '=' && !isspace(*v)) + { + /* Take care to not stop at a space embedded in a quoted local-part */ +- +- if (*v == '"') do v--; while (*v != '"' && v > smtp_cmd_data+1); ++ if (*v == '"') ++ { ++ do v--; while (v > smtp_cmd_data && *v != '"'); ++ if (v <= smtp_cmd_data) return FALSE; ++ } + v--; + } ++if (v <= smtp_cmd_data) return FALSE; + + n = v; + if (*v == '=') + { +- while(isalpha(n[-1])) n--; ++ while (n > smtp_cmd_data && isalpha(n[-1])) n--; + /* RFC says SP, but TAB seen in wild and other major MTAs accept it */ +- if (!isspace(n[-1])) return FALSE; ++ if (n <= smtp_cmd_data || !isspace(n[-1])) return FALSE; + n[-1] = 0; + } + else + { + n++; +- if (v == smtp_cmd_data) return FALSE; + } + *v++ = 0; + *name = n; +-- +2.30.2 + |