aboutsummaryrefslogtreecommitdiff
path: root/network/opensmtpd/openbsd64-020-smtpd.patch
blob: 8ce7178da8b17b7f8d306285a24f18141219250f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
OpenBSD 6.4 errata 020, August 2, 2019

smtpd can crash on excessively large input, causing a denial of service.

--- a/smtpd/smtp_session.c	3 Sep 2018 19:01:29 -0000	1.337
+++ b/smtpd/smtp_session.c	1 Aug 2019 21:18:53 -0000
@@ -1904,15 +1904,21 @@ smtp_reply(struct smtp_session *s, char 
 {
 	va_list	 ap;
 	int	 n;
-	char	 buf[LINE_MAX], tmp[LINE_MAX];
+	char	 buf[LINE_MAX*2], tmp[LINE_MAX*2];
 
 	va_start(ap, fmt);
 	n = vsnprintf(buf, sizeof buf, fmt, ap);
 	va_end(ap);
-	if (n == -1 || n >= LINE_MAX)
-		fatalx("smtp_reply: line too long");
+	if (n < 0)
+		fatalx("smtp_reply: response format error");
 	if (n < 4)
 		fatalx("smtp_reply: response too short");
+	if (n >= (int)sizeof buf) {
+		/* only first three bytes are used by SMTP logic,
+		 * so if _our_ reply does not fit entirely in the
+		 * buffer, it's ok to truncate.
+		 */
+	}
 
 	log_trace(TRACE_SMTP, "smtp: %p: >>> %s", s, buf);