From 56aadff97bc4e45e6a2ce25cfb9a98a4ae4bec79 Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Sun, 21 Feb 2021 22:05:37 -0800
Subject: [PATCH 16/29] Security: Check overrun rcpt_count integer

Based on Heiko Schlittermann's commit e5cb5e61. This fixes:

4/ In src/smtp_in.c:

4966     case RCPT_CMD:
4967       HAD(SCH_RCPT);
4968       rcpt_count++;
....
5123       if (rcpt_count > recipients_max && recipients_max > 0)

In theory this recipients_max check can be bypassed, because the int
rcpt_count can overflow (become negative). In practice this would either
consume too much memory or generate too much network traffic, but maybe
it should be fixed anyway.
---
 src/smtp_in.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/smtp_in.c b/src/smtp_in.c
index bdcfde65f..1a5fbfea3 100644
--- a/src/smtp_in.c
+++ b/src/smtp_in.c
@@ -4993,6 +4993,8 @@ while (done <= 0)
 
     case RCPT_CMD:
       HAD(SCH_RCPT);
+      if (rcpt_count < 0 || rcpt_count >= INT_MAX/2)
+        log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Too many recipients: %d", rcpt_count);
       rcpt_count++;
       was_rcpt = fl.rcpt_in_progress = TRUE;
 
-- 
2.30.2