Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
exim: Fix for CVE-2017-16943 RCE vuln
(cherry picked from commit a6e87b5)
- Loading branch information
1 parent
0990eea
commit 814f3a6
Showing
2 changed files
with
40 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
From 4e6ae6235c68de243b1c2419027472d7659aa2b4 Mon Sep 17 00:00:00 2001 | ||
From: Jeremy Harris <jgh146exb@wizmail.org> | ||
Date: Fri, 24 Nov 2017 20:22:33 +0000 | ||
Subject: [PATCH] Avoid release of store if there have been later allocations. | ||
Bug 2199 | ||
|
||
--- | ||
src/receive.c | 7 ++++--- | ||
1 file changed, 4 insertions(+), 3 deletions(-) | ||
|
||
diff --git a/src/receive.c b/src/receive.c | ||
index e7e518a..d9b5001 100644 | ||
--- a/src/receive.c | ||
+++ b/src/receive.c | ||
@@ -1810,8 +1810,8 @@ for (;;) | ||
(and sometimes lunatic messages can have ones that are 100s of K long) we | ||
call store_release() for strings that have been copied - if the string is at | ||
the start of a block (and therefore the only thing in it, because we aren't | ||
- doing any other gets), the block gets freed. We can only do this because we | ||
- know there are no other calls to store_get() going on. */ | ||
+ doing any other gets), the block gets freed. We can only do this release if | ||
+ there were no allocations since the once that we want to free. */ | ||
|
||
if (ptr >= header_size - 4) | ||
{ | ||
@@ -1820,9 +1820,10 @@ for (;;) | ||
header_size *= 2; | ||
if (!store_extend(next->text, oldsize, header_size)) | ||
{ | ||
+ BOOL release_ok = store_last_get[store_pool] == next->text; | ||
uschar *newtext = store_get(header_size); | ||
memcpy(newtext, next->text, ptr); | ||
- store_release(next->text); | ||
+ if (release_ok) store_release(next->text); | ||
next->text = newtext; | ||
} | ||
} | ||
-- | ||
1.9.1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters