blob: f8bda5474772287279d3624e89f85432995eba65 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
From 56aadff97bc4e45e6a2ce25cfb9a98a4ae4bec79 Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Sun, 21 Feb 2021 22:05:37 -0800
Subject: [PATCH 16/29] Security: Check overrun rcpt_count integer
Based on Heiko Schlittermann's commit e5cb5e61. This fixes:
4/ In src/smtp_in.c:
4966 case RCPT_CMD:
4967 HAD(SCH_RCPT);
4968 rcpt_count++;
....
5123 if (rcpt_count > recipients_max && recipients_max > 0)
In theory this recipients_max check can be bypassed, because the int
rcpt_count can overflow (become negative). In practice this would either
consume too much memory or generate too much network traffic, but maybe
it should be fixed anyway.
---
src/smtp_in.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/smtp_in.c b/src/smtp_in.c
index bdcfde65f..1a5fbfea3 100644
--- a/src/smtp_in.c
+++ b/src/smtp_in.c
@@ -4993,6 +4993,8 @@ while (done <= 0)
case RCPT_CMD:
HAD(SCH_RCPT);
+ if (rcpt_count < 0 || rcpt_count >= INT_MAX/2)
+ log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Too many recipients: %d", rcpt_count);
rcpt_count++;
was_rcpt = fl.rcpt_in_progress = TRUE;
--
2.30.2
|
