SECURITY: fix SMTP verb option parsing

A boundary case in looking for an opening quote before the closing quote could walk off the front of the buffer. (cherry picked from commit 515d8d43a18481d23d7cf410b8dc71b4e254ebb8) (cherry picked from commit 467948de0c407bd2bbc2e84abbbf09f35b035538)
author: Phil Pennock <phil+git@pennock-tech.com> 2020-10-29 22:40:59 -0400
committer: Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> 2021-05-27 21:30:30 +0200
commit: 518f0a0dd6df6f0d0ea51bfa126982d134e7a7ff (patch)
tree: 0b32bf62a154a2f8c036313e630089a939f4ded0 /src
parent: 0695aae1eb75b439862d0f7fbf099b5d08f55af0 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index d60e7d5c5..4f16fd4b8 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -1969,12 +1969,13 @@ extract_option(uschar **name, uschar **value)
 uschar *n;
 uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
 while (isspace(*v)) v--;
-v[1] = 0;
+v[1] = '\0';
 while (v > smtp_cmd_data && *v != '=' && !isspace(*v))
   {
   /* Take care to not stop at a space embedded in a quoted local-part */
 
-  if (*v == '"') do v--; while (*v != '"' && v > smtp_cmd_data+1);
+  if ((*v == '"') && (v > smtp_cmd_data + 1))
+    do v--; while (*v != '"' && v > smtp_cmd_data+1);
   v--;
   }
author	Phil Pennock <phil+git@pennock-tech.com>	2020-10-29 22:40:59 -0400
committer	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>	2021-05-27 21:30:30 +0200
commit	518f0a0dd6df6f0d0ea51bfa126982d134e7a7ff (patch)
tree	0b32bf62a154a2f8c036313e630089a939f4ded0 /src
parent	0695aae1eb75b439862d0f7fbf099b5d08f55af0 (diff)