Chunking: do not treat the first lonely dot special. CVE-2017-16944, Bug 2201
authorHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Mon, 27 Nov 2017 21:42:33 +0000 (22:42 +0100)
committerHeiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Sun, 3 Dec 2017 18:50:29 +0000 (19:50 +0100)
src/src/receive.c
src/src/smtp_in.c

index 5dc9bb5..ae2c93b 100644 (file)
@@ -1859,7 +1859,7 @@ for (;;)
   prevent further reading), and break out of the loop, having freed the
   empty header, and set next = NULL to indicate no data line. */
 
-  if (ptr == 0 && ch == '.' && (smtp_input || dot_ends))
+  if (ptr == 0 && ch == '.' && dot_ends)
     {
     ch = (receive_getc)(GETC_BUFFER_UNLIMITED);
     if (ch == '\r')
index 28586f3..00e9d41 100644 (file)
@@ -5097,17 +5097,24 @@ while (done <= 0)
       DEBUG(D_receive) debug_printf("chunking state %d, %d bytes\n",
                                    (int)chunking_state, chunking_data_left);
 
+      /* push the current receive_* function on the "stack", and
+      replace them by bdat_getc(), which in turn will use the lwr_receive_*
+      functions to do the dirty work. */
       lwr_receive_getc = receive_getc;
       lwr_receive_getbuf = receive_getbuf;
       lwr_receive_ungetc = receive_ungetc;
+
       receive_getc = bdat_getc;
       receive_ungetc = bdat_ungetc;
 
+      dot_ends = FALSE;
+
       goto DATA_BDAT;
       }
 
     case DATA_CMD:
     HAD(SCH_DATA);
+    dot_ends = TRUE;
 
     DATA_BDAT:         /* Common code for DATA and BDAT */
     if (!discarded && recipients_count <= 0)