X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=src%2Fsrc%2Fspam.c;h=f46e11e42391d7005d412b42afa73a87f4db4bb5;hb=b47584259a53dcd166b923520a3ba7d8df0eb5bc;hp=1159d36874ff02df9b41ffffc405c836875274c2;hpb=d4ff61d1edff4054497632be7f36ede86bb8ebec;p=exim.git

diff --git a/src/src/spam.c b/src/src/spam.c
index 1159d3687..f46e11e42 100644
--- a/src/src/spam.c
+++ b/src/src/spam.c
@@ -2,8 +2,10 @@
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
-/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015 */
-/* License: GPL */
+/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015
+ * License: GPL
+ * Copyright (c) The Exim Maintainers 2016
+ */
 
 /* Code for calling spamassassin's spamd. Called from acl.c. */
 
@@ -500,8 +502,9 @@ offset = 0;
 while ((i = ip_recv(spamd_sock,
 		   spamd_buffer + offset,
 		   sizeof(spamd_buffer) - offset - 1,
-		   sd->timeout - time(NULL) + start)) > 0 )
+		   sd->timeout - time(NULL) + start)) > 0)
   offset += i;
+spamd_buffer[offset] = '\0';	/* guard byte */
 
 /* error handling */
 if (i <= 0 && errno != 0)
@@ -518,10 +521,12 @@ if (i <= 0 && errno != 0)
 if (sd->is_rspamd)
   {				/* rspamd variant of reply */
   int r;
-  if ((r = sscanf(CS spamd_buffer,
+  if (  (r = sscanf(CS spamd_buffer,
 	  "RSPAMD/%7s 0 EX_OK\r\nMetric: default; %7s %lf / %lf / %lf\r\n%n",
 	  spamd_version, spamd_short_result, &spamd_score, &spamd_threshold,
-	  &spamd_reject_score, &spamd_report_offset)) != 5)
+	  &spamd_reject_score, &spamd_report_offset)) != 5
+     || spamd_report_offset >= offset		/* verify within buffer */
+     )
     {
     log_write(0, LOG_MAIN|LOG_PANIC,
 	      "%s cannot parse spamd %s, output: %d", loglabel, callout_address, r);