1 files changed, 47 insertions, 0 deletions

diff --git a/debian/patches/84_18-Security-Fix-off-by-one-in-smtp-transport-read-respo.patch b/debian/patches/84_18-Security-Fix-off-by-one-in-smtp-transport-read-respo.patch
new file mode 100644
index 0000000..47d67d2
--- /dev/null
+++ b/debian/patches/84_18-Security-Fix-off-by-one-in-smtp-transport-read-respo.patch
@@ -0,0 +1,47 @@
+From 28335a4704d8d615fd61e05ea6e435a4cd24e4df Mon Sep 17 00:00:00 2001
+From: Qualys Security Advisory <qsa@qualys.com>
+Date: Sun, 21 Feb 2021 22:13:18 -0800
+Subject: [PATCH 18/29] Security: Fix off-by-one in smtp transport (read
+ response)
+
+Based on Heiko Schlittermann's commit 1887a160. This fixes:
+
+1/ In src/transports/smtp.c:
+
+2281       int n = sizeof(sx->buffer);
+2282       uschar * rsp = sx->buffer;
+2283
+2284       if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
+2285         { rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }
+
+This should probably be either:
+
+rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n - 1;
+
+or:
+
+rsp = sx->buffer + n; n = sizeof(sx->buffer) - n;
+
+(not sure which) to avoid an off-by-one.
+---
+ src/transports/smtp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/transports/smtp.c b/src/transports/smtp.c
+index cc37e73f3..07b63a2aa 100644
+--- a/src/transports/smtp.c
++++ b/src/transports/smtp.c
+@@ -2328,8 +2328,8 @@ goto SEND_QUIT;
+       int n = sizeof(sx->buffer);
+       uschar * rsp = sx->buffer;
+ 
+-      if (sx->esmtp_sent && (n = Ustrlen(sx->buffer)) < sizeof(sx->buffer)/2)
+-	{ rsp = sx->buffer + n + 1; n = sizeof(sx->buffer) - n; }
++      if (sx->esmtp_sent && (n = Ustrlen(sx->buffer) + 1) < sizeof(sx->buffer)/2)
++	{ rsp = sx->buffer + n; n = sizeof(sx->buffer) - n; }
+ 
+       if (smtp_write_command(sx, SCMD_FLUSH, "HELO %s\r\n", sx->helo_data) < 0)
+ 	goto SEND_FAILED;
+-- 
+2.30.2
+