summaryrefslogtreecommitdiff
path: root/test
diff options
context:
space:
mode:
authorHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>2021-03-30 22:03:49 +0200
committerHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>2021-05-27 21:30:50 +0200
commitc82e60b402bd17620e57a0774d27b39d7ea6eb09 (patch)
tree37aa66f23b18c940c462e7fbdc0c70cac0781e0d /test
parentd17c916db7c661aacf65684a5568f8e105e50b3b (diff)
CVE-2020-28026: Line truncation and injection in spool_read_header()
This also fixes: 2/ In src/spool_in.c: 462 while ( (len = Ustrlen(big_buffer)) == big_buffer_size-1 463 && big_buffer[len-1] != '\n' 464 ) 465 { /* buffer not big enough for line; certs make this possible */ 466 uschar * buf; 467 if (big_buffer_size >= BIG_BUFFER_SIZE*4) goto SPOOL_READ_ERROR; 468 buf = store_get_perm(big_buffer_size *= 2, FALSE); 469 memcpy(buf, big_buffer, --len); The --len in memcpy() chops off a useful byte (we know for sure that big_buffer[len-1] is not a '\n' because we entered the while loop). Based on a patch done by Qualys. (cherry picked from commit f0c307458e1ee81abbe7ed2d4a8d16b5cbd8a799) (cherry picked from commit 4daba4bec729a57fb0863af786a1395e70794c76)
Diffstat (limited to 'test')
0 files changed, 0 insertions, 0 deletions
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-18 09:08:08 +0000