32 lines
909 B
Diff
32 lines
909 B
Diff
OpenBSD 6.4 errata 020, August 2, 2019
|
|
|
|
smtpd can crash on excessively large input, causing a denial of service.
|
|
|
|
--- a/smtpd/smtp_session.c 3 Sep 2018 19:01:29 -0000 1.337
|
|
+++ b/smtpd/smtp_session.c 1 Aug 2019 21:18:53 -0000
|
|
@@ -1904,15 +1904,21 @@ smtp_reply(struct smtp_session *s, char
|
|
{
|
|
va_list ap;
|
|
int n;
|
|
- char buf[LINE_MAX], tmp[LINE_MAX];
|
|
+ char buf[LINE_MAX*2], tmp[LINE_MAX*2];
|
|
|
|
va_start(ap, fmt);
|
|
n = vsnprintf(buf, sizeof buf, fmt, ap);
|
|
va_end(ap);
|
|
- if (n == -1 || n >= LINE_MAX)
|
|
- fatalx("smtp_reply: line too long");
|
|
+ if (n < 0)
|
|
+ fatalx("smtp_reply: response format error");
|
|
if (n < 4)
|
|
fatalx("smtp_reply: response too short");
|
|
+ if (n >= (int)sizeof buf) {
|
|
+ /* only first three bytes are used by SMTP logic,
|
|
+ * so if _our_ reply does not fit entirely in the
|
|
+ * buffer, it's ok to truncate.
|
|
+ */
|
|
+ }
|
|
|
|
log_trace(TRACE_SMTP, "smtp: %p: >>> %s", s, buf);
|
|
|