1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
OpenBSD 6.4 errata 020, August 2, 2019
smtpd can crash on excessively large input, causing a denial of service.
--- a/smtpd/smtp_session.c 3 Sep 2018 19:01:29 -0000 1.337
+++ b/smtpd/smtp_session.c 1 Aug 2019 21:18:53 -0000
@@ -1904,15 +1904,21 @@ smtp_reply(struct smtp_session *s, char
{
va_list ap;
int n;
- char buf[LINE_MAX], tmp[LINE_MAX];
+ char buf[LINE_MAX*2], tmp[LINE_MAX*2];
va_start(ap, fmt);
n = vsnprintf(buf, sizeof buf, fmt, ap);
va_end(ap);
- if (n == -1 || n >= LINE_MAX)
- fatalx("smtp_reply: line too long");
+ if (n < 0)
+ fatalx("smtp_reply: response format error");
if (n < 4)
fatalx("smtp_reply: response too short");
+ if (n >= (int)sizeof buf) {
+ /* only first three bytes are used by SMTP logic,
+ * so if _our_ reply does not fit entirely in the
+ * buffer, it's ok to truncate.
+ */
+ }
log_trace(TRACE_SMTP, "smtp: %p: >>> %s", s, buf);
|