summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2021-03-04 22:19:08 +0100
committerHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>2021-05-27 21:30:41 +0200
commit6552729ba7975985cbcb938cf4ecf7b54e395763 (patch)
treeb6e2b708986eddd7e773977f77f2bc8768ebbf70 /src
parentda140cebadf56aeb3e2956ad4e317b0f9619a9e6 (diff)
CVE-2020-28019: Failure to reset function pointer after BDAT error
Based on Phil Pennock's commits 4715403e and 151ffd72, and Jeremy Harris's commits aa171254 and 9aceb5c2. (cherry picked from commit 0a3fbb7e3be375bc93b8e359c6aff333c7c2d76f) (cherry picked from commit 99d057fad97a2def9f000ebccda83e4008112819)
Diffstat (limited to 'src')
-rw-r--r--src/src/smtp_in.c15
1 files changed, 14 insertions, 1 deletions
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index b6d530f93..6d2339770 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -794,15 +794,22 @@ else
}
receive_getc = bdat_getc;
+receive_getbuf = bdat_getbuf;
receive_ungetc = bdat_ungetc;
}
static inline void
bdat_pop_receive_functions(void)
{
+if (lwr_receive_getc == NULL)
+ {
+ DEBUG(D_receive) debug_printf("chunking double-pop receive functions\n");
+ return;
+ }
receive_getc = lwr_receive_getc;
receive_getbuf = lwr_receive_getbuf;
receive_ungetc = lwr_receive_ungetc;
+
lwr_receive_getc = NULL;
lwr_receive_getbuf = NULL;
lwr_receive_ungetc = NULL;
@@ -5341,7 +5348,7 @@ while (done <= 0)
DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
(int)chunking_state, chunking_data_left);
- f.bdat_readers_wanted = TRUE;
+ f.bdat_readers_wanted = TRUE; /* FIXME: redundant vs chunking_state? */
f.dot_ends = FALSE;
goto DATA_BDAT;
@@ -5391,6 +5398,12 @@ while (done <= 0)
sender_address = NULL; /* This will allow a new MAIL without RSET */
sender_address_unrewritten = NULL;
smtp_printf("554 Too many recipients\r\n", FALSE);
+
+ if (chunking_state > CHUNKING_OFFERED)
+ {
+ bdat_push_receive_functions();
+ bdat_flush_data();
+ }
break;
}