Also memset(.., 0, ..) the pre-TLS input buffer.

author: Phil Pennock <pdp@exim.org> 2011-03-24 04:40:33 -0400
committer: Phil Pennock <pdp@exim.org> 2011-03-24 04:40:33 -0400
commit: 4e7ee01264c430b044fd81cbc79a09ee0348d018 (patch)
tree: 99e42ea20972a28e62fc921ff272a7be97c02685 /src
parent: da80c2a8ed49427334af613c00df65ae301cacdd (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 500000be4..38c7afcf6 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -3861,6 +3861,15 @@ while (done <= 0)
       /* and if TLS is already active, tls_server_start() should fail */
       }
 
+    /* There is nothing we value in the input buffer and if TLS is succesfully
+    negotiated, we won't use this buffer again; if TLS fails, we'll just read
+    fresh content into it.  The buffer contains arbitrary content from an
+    untrusted remote source; eg: NOOP <shellcode>\r\nSTARTTLS\r\n
+    It seems safest to just wipe away the content rather than leave it as a
+    target to jump to. */
+
+    memset(smtp_inbuffer, 0, in_buffer_size);
+
     /* Attempt to start up a TLS session, and if successful, discard all
     knowledge that was obtained previously. At least, that's what the RFC says,
     and that's what happens by default. However, in order to work round YAEB,
author	Phil Pennock <pdp@exim.org>	2011-03-24 04:40:33 -0400
committer	Phil Pennock <pdp@exim.org>	2011-03-24 04:40:33 -0400
commit	4e7ee01264c430b044fd81cbc79a09ee0348d018 (patch)
tree	99e42ea20972a28e62fc921ff272a7be97c02685 /src
parent	da80c2a8ed49427334af613c00df65ae301cacdd (diff)