From 6b647c508aced6961f00e139f0337e2c8aba9eb7 Mon Sep 17 00:00:00 2001 From: Qualys Security Advisory Date: Sun, 21 Feb 2021 22:24:13 -0800 Subject: [PATCH 20/29] Security: Leave a clean smtp_out input buffer even in case of read error Based on Heiko Schlittermann's commit 54895bc3. This fixes: 7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated when -1 is returned. This does not seem to have bad consequences, but is maybe not the intended behavior. --- src/smtp_out.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) --- a/src/smtp_out.c +++ b/src/smtp_out.c @@ -387,11 +387,11 @@ HDEBUG(D_transport|D_acl|D_v) #ifdef SUPPORT_SOCKS if (ob->socks_proxy) { int sock = socks_sock_connect(sc->host, sc->host_af, port, sc->interface, sc->tblock, ob->connect_timeout); - + if (sock >= 0) { if (early_data && early_data->data && early_data->len) if (send(sock, early_data->data, early_data->len, 0) < 0) { @@ -588,11 +588,11 @@ Arguments: buffer where to put the line size space available for the line timelimit deadline for reading the lime, seconds past epoch Returns: length of a line that has been put in the buffer - -1 otherwise, with errno set + -1 otherwise, with errno set, and inblock->ptr adjusted */ static int read_response_line(smtp_inblock *inblock, uschar *buffer, int size, time_t timelimit) { @@ -629,10 +629,11 @@ for (;;) *p++ = c; if (--size < 4) { *p = 0; /* Leave malformed line for error message */ errno = ERRNO_SMTPFORMAT; + inblock->ptr = ptr; return -1; } } /* Need to read a new input packet. */ @@ -654,10 +655,11 @@ for (;;) } /* Get here if there has been some kind of recv() error; errno is set, but we ensure that the result buffer is empty before returning. */ +inblock->ptr = inblock->ptrend = inblock->buffer; *buffer = 0; return -1; }