SECURITY: Don't miss the very last byte when reading long lines from -H

Credits: Qualys 2/ In src/spool_in.c: 462 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1 463 && big_buffer[len-1] != '\n' 464 ) 465 { /* buffer not big enough for line; certs make this possible */ 466 uschar * buf; 467 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR; 468 buf = store_get_perm(big_buffer_size *= 2, FALSE); 469 memcpy(buf, big_buffer, --len); The --len in memcpy() chops off a useful byte (we know for sure that big_buffer[len-1] is not a '\n' because we entered the while loop). (cherry picked from commit 58454ea01c2e817481770954edf09ad82f3cd417) (cherry picked from commit 2d9f1837bdd6c5946cb9cd997544eefc8cc14fc4)
author: Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> 2020-11-21 22:18:56 +0100
committer: Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> 2021-05-27 21:30:35 +0200
commit: 5dad84609e49ce4c45d29ccb98b1b7b1f296d69e (patch)
tree: 3cb344b33d73222ad9961a51a9af7c8173cd63e5
parent: fa5f51b5b5157e55104bd10d66ccaa066090eec3 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/src/src/spool_in.c b/src/src/spool_in.c
index f64c52c5a..09fe9c5f7 100644
--- a/src/src/spool_in.c
+++ b/src/src/spool_in.c
@@ -468,7 +468,7 @@ for (;;)
     uschar * buf;
     if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR;
     buf = store_get_perm(big_buffer_size *= 2, FALSE);
-    memcpy(buf, big_buffer, --len);
+    memcpy(buf, big_buffer, len);
     big_buffer = buf;
     if (Ufgets(big_buffer+len, big_buffer_size-len, fp) == NULL)
       goto SPOOL_READ_ERROR;
author	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>	2020-11-21 22:18:56 +0100
committer	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>	2021-05-27 21:30:35 +0200
commit	5dad84609e49ce4c45d29ccb98b1b7b1f296d69e (patch)
tree	3cb344b33d73222ad9961a51a9af7c8173cd63e5
parent	fa5f51b5b5157e55104bd10d66ccaa066090eec3 (diff)