Chunking: do not treat the first lonely dot special. CVE-2017-16944, Bug 2201

diff --git a/src/src/receive.c b/src/src/receive.c
index 5dc9bb5846b3ff27716a13e28d23d255392d0913..ae2c93b4efd56419c588b4c868d5047c4d57f244 100644 (file)
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -1859,7 +1859,7 @@ for (;;)
   prevent further reading), and break out of the loop, having freed the
   empty header, and set next = NULL to indicate no data line. */
 
-  if (ptr == 0 && ch == '.' && (smtp_input || dot_ends))
+  if (ptr == 0 && ch == '.' && dot_ends)
     {
     ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
     if (ch == '\r')

diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 28586f33d290a32a52e2bbea8af17c112a622ee7..00e9d41a8119e37af9880c1d63d34eccbf24bad5 100644 (file)
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -5097,17 +5097,24 @@ while (done <= 0)
       DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
                                    (int)chunking_state, chunking_data_left);
 
+      /* push the current receive_* function on the "stack", and
+      replace them by bdat_getc(), which in turn will use the lwr_receive_*
+      functions to do the dirty work. */
       lwr_receive_getc = receive_getc;
       lwr_receive_getbuf = receive_getbuf;
       lwr_receive_ungetc = receive_ungetc;
+
       receive_getc = bdat_getc;
       receive_ungetc = bdat_ungetc;
 
+      dot_ends = FALSE;
+
       goto DATA_BDAT;
       }
 
     case DATA_CMD:
     HAD(SCH_DATA);
+    dot_ends = TRUE;
 
     DATA_BDAT:         /* Common code for DATA and BDAT */
     if (!discarded && recipients_count <= 0)