summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2022-05-09 14:45:53 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2022-05-09 14:52:16 +0100
commit6d2c02560e5c0aa7cef83d02b26f193135b93e21 (patch)
tree598801cb553c4f25f97d7c3675850b6c17f03387
parentdae17adc827cb536c485637680adde4facae8a78 (diff)
Fix string_copyn() for limit greater than actual string length
Broken-by: a76d120aed
-rw-r--r--doc/doc-txt/ChangeLog5
-rw-r--r--src/src/functions.h5
2 files changed, 9 insertions, 1 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 82bac62b9..d492a62b7 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -131,6 +131,11 @@ JH/29 TLS resumption: the key for session lookup in the client now includes
session, avoiding oferring mismatching sessions to such a server.
Previously only the server IP was used.
+JH/30 Fix string_copyn() for limit greater than actual string length.
+ Previously the copied amount was the limit, which could result in a
+ overlapping memcpy for newly allocated destination soon after a
+ source string shorter than the limit. Found/investigated by KM.
+
Exim version 4.95
-----------------
diff --git a/src/src/functions.h b/src/src/functions.h
index f8e0cd77e..07df8755b 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -788,7 +788,10 @@ static inline uschar *
string_copyn_taint_trc(const uschar * s, unsigned len,
const void * proto_mem, const char * func, int line)
{
-uschar * ss = store_get_3(len + 1, proto_mem, func, line);
+uschar * ss;
+unsigned slen = Ustrlen(s);
+if (len > slen) len = slen;
+ss = store_get_3(len + 1, proto_mem, func, line);
memcpy(ss, s, len);
ss[len] = '\0';
return ss;