Fix transport buffer size handling

Broken-by: 59932f7dcd

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 9313c7b28f13f71671c63a7e4deff4243d95bfac..18db733aa8a6aedbb212030b9e9e61ed94c67dfb 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -22,6 +22,9 @@ JH/04 The default received_header_text now uses the RFC 8314 tls cipher clause.
 
 JH/05 DKIM: ensure that dkim_domain elements are lowercased before use.
 
 
 JH/05 DKIM: ensure that dkim_domain elements are lowercased before use.
 

+JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible
+      buffer overrun for (non-chunking) other transports.
+

 
 Exim version 4.92
 -----------------
 
 Exim version 4.92
 -----------------

diff --git a/src/src/transport.c b/src/src/transport.c
index 0fa90cb041fc79cb29fd8193704f63fb6e47f013..f34db091458a8248922fc3db50e8650bad34bcc3 100644 (file)
--- a/src/src/transport.c
+++ b/src/src/transport.c
@@ -1108,13 +1108,13 @@ DEBUG(D_transport)
 
 if (!(tctx->options & topt_no_body))
   {
 
 if (!(tctx->options & topt_no_body))
   {

-  int size = size_limit;
+  unsigned long size = size_limit > 0 ? size_limit : ULONG_MAX;

 
   nl_check_length = abs(nl_check_length);
   nl_partial_match = 0;
   if (lseek(deliver_datafile, SPOOL_DATA_START_OFFSET, SEEK_SET) < 0)
     return FALSE;
 
   nl_check_length = abs(nl_check_length);
   nl_partial_match = 0;
   if (lseek(deliver_datafile, SPOOL_DATA_START_OFFSET, SEEK_SET) < 0)
     return FALSE;

-  while (  (len = MAX(DELIVER_IN_BUFFER_SIZE, size)) > 0
+  while (  (len = MIN(DELIVER_IN_BUFFER_SIZE, size)) > 0

        && (len = read(deliver_datafile, deliver_in_buffer, len)) > 0)
     {
     if (!write_chunk(tctx, deliver_in_buffer, len))
        && (len = read(deliver_datafile, deliver_in_buffer, len)) > 0)
     {
     if (!write_chunk(tctx, deliver_in_buffer, len))