CVE-2020-28019: Failure to reset function pointer after BDAT error

Based on Phil Pennock's commits 4715403e and 151ffd72, and Jeremy
Harris's commits aa171254 and 9aceb5c2.

(cherry picked from commit 0a3fbb7e3be375bc93b8e359c6aff333c7c2d76f)
(cherry picked from commit 99d057fad97a2def9f000ebccda83e4008112819)

1 files changed, 14 insertions, 1 deletions

diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index b6d530f93..6d2339770 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -794,15 +794,22 @@ else
   }
 
 receive_getc = bdat_getc;
+receive_getbuf = bdat_getbuf;
 receive_ungetc = bdat_ungetc;
 }
 
 static inline void
 bdat_pop_receive_functions(void)
 {
+if (lwr_receive_getc == NULL)
+  {
+  DEBUG(D_receive) debug_printf("chunking double-pop receive functions\n");
+  return;
+  }
 receive_getc = lwr_receive_getc;
 receive_getbuf = lwr_receive_getbuf;
 receive_ungetc = lwr_receive_ungetc;
+
 lwr_receive_getc = NULL;
 lwr_receive_getbuf = NULL;
 lwr_receive_ungetc = NULL;
@@ -5341,7 +5348,7 @@ while (done <= 0)
       DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
 				    (int)chunking_state, chunking_data_left);
 
-      f.bdat_readers_wanted = TRUE;
+      f.bdat_readers_wanted = TRUE; /* FIXME: redundant vs chunking_state? */
       f.dot_ends = FALSE;
 
       goto DATA_BDAT;
@@ -5391,6 +5398,12 @@ while (done <= 0)
 	sender_address = NULL;  /* This will allow a new MAIL without RSET */
 	sender_address_unrewritten = NULL;
 	smtp_printf("554 Too many recipients\r\n", FALSE);
+
+	if (chunking_state > CHUNKING_OFFERED)
+	  {
+	  bdat_push_receive_functions();
+	  bdat_flush_data();
+	  }
 	break;
 	}