1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
From 6b647c508aced6961f00e139f0337e2c8aba9eb7 Mon Sep 17 00:00:00 2001
From: Qualys Security Advisory <qsa@qualys.com>
Date: Sun, 21 Feb 2021 22:24:13 -0800
Subject: [PATCH 20/29] Security: Leave a clean smtp_out input buffer even in
case of read error
Based on Heiko Schlittermann's commit 54895bc3. This fixes:
7/ In src/smtp_out.c, read_response_line(), inblock->ptr is not updated
when -1 is returned. This does not seem to have bad consequences, but is
maybe not the intended behavior.
---
src/smtp_out.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/src/smtp_out.c
+++ b/src/smtp_out.c
@@ -387,11 +387,11 @@ HDEBUG(D_transport|D_acl|D_v)
#ifdef SUPPORT_SOCKS
if (ob->socks_proxy)
{
int sock = socks_sock_connect(sc->host, sc->host_af, port, sc->interface,
sc->tblock, ob->connect_timeout);
-
+
if (sock >= 0)
{
if (early_data && early_data->data && early_data->len)
if (send(sock, early_data->data, early_data->len, 0) < 0)
{
@@ -588,11 +588,11 @@ Arguments:
buffer where to put the line
size space available for the line
timelimit deadline for reading the lime, seconds past epoch
Returns: length of a line that has been put in the buffer
- -1 otherwise, with errno set
+ -1 otherwise, with errno set, and inblock->ptr adjusted
*/
static int
read_response_line(smtp_inblock *inblock, uschar *buffer, int size, time_t timelimit)
{
@@ -629,10 +629,11 @@ for (;;)
*p++ = c;
if (--size < 4)
{
*p = 0; /* Leave malformed line for error message */
errno = ERRNO_SMTPFORMAT;
+ inblock->ptr = ptr;
return -1;
}
}
/* Need to read a new input packet. */
@@ -654,10 +655,11 @@ for (;;)
}
/* Get here if there has been some kind of recv() error; errno is set, but we
ensure that the result buffer is empty before returning. */
+inblock->ptr = inblock->ptrend = inblock->buffer;
*buffer = 0;
return -1;
}
|
