From da88acaeb7d76e5312c8ea799951470eaa5eca0f Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Tue, 31 Jan 2017 22:15:55 -0500 Subject: Handle Proxy Protocol v2 safely as well. We had test suite failures (test suite success!) because Proxy Protocol v2 (PPv2) wasn't being detected; by only reading 12 octets, the >= 16 check was failing. But in fact I had previously only fixed reading "only enough" for PPv1. Handling both PPv1 and PPv2 is complicated because the minimum valid length for PPv1 is 15 octets but for PPv2 the size to read is in the 15th and 16th octets. So refactored a little and we now use a total of 3 reads for the PPv2 case (assuming no fragmentation, etc; we'll actually keep reading now instead of aborting) to get the entire PPv2 header of exactly the right size, so that TLS handshake immediately following the PP header is not also swallowed. Fixes: 2018 Tested: manually, TLS and non-TLS, PPv1 and PPv2, all ways. Release: should be cherry-picked into 4.89RC series --- doc/doc-txt/ChangeLog | 2 ++ 1 file changed, 2 insertions(+) (limited to 'doc') diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 69c778966..03c031106 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -77,6 +77,8 @@ PP/03 Bug 2018: For Proxy Protocol and TLS-on-connect, do not over-read and instead leave the unprompted TLS handshake in socket buffer for the TLS library to consume. +PP/04 Bug 2018: Also handle Proxy Protocol v2 safely. + Exim version 4.88 ----------------- -- cgit v1.2.3