From 518f0a0dd6df6f0d0ea51bfa126982d134e7a7ff Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Thu, 29 Oct 2020 22:40:59 -0400 Subject: SECURITY: fix SMTP verb option parsing A boundary case in looking for an opening quote before the closing quote could walk off the front of the buffer. (cherry picked from commit 515d8d43a18481d23d7cf410b8dc71b4e254ebb8) (cherry picked from commit 467948de0c407bd2bbc2e84abbbf09f35b035538) --- src/src/smtp_in.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index d60e7d5c5..4f16fd4b8 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -1969,12 +1969,13 @@ extract_option(uschar **name, uschar **value) uschar *n; uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1; while (isspace(*v)) v--; -v[1] = 0; +v[1] = '\0'; while (v > smtp_cmd_data && *v != '=' && !isspace(*v)) { /* Take care to not stop at a space embedded in a quoted local-part */ - if (*v == '"') do v--; while (*v != '"' && v > smtp_cmd_data+1); + if ((*v == '"') && (v > smtp_cmd_data + 1)) + do v--; while (*v != '"' && v > smtp_cmd_data+1); v--; } -- cgit v1.2.3