diff options
author | Gilles Chehade <gilles@cvs.openbsd.org> | 2020-01-28 21:35:01 +0000 |
---|---|---|
committer | Gilles Chehade <gilles@cvs.openbsd.org> | 2020-01-28 21:35:01 +0000 |
commit | e01d6b4e2d4e65ff4197e57ca7747d03b25b5fcc (patch) | |
tree | 59c9b35cddedb5bb8610c4c94212527436ed8a41 /usr.sbin/smtpd/smtp_session.c | |
parent | 1f196ba7c224c224228d59dfadba68dff0d4c1e1 (diff) |
Fix a security vulnerability discovered by Qualys which can lead to a
privileges escalation on mbox deliveries and unprivileged code execution
on lmtp deliveries, due to a logic issue causing a sanity check to be
missed.
ok eric@, millert@
Diffstat (limited to 'usr.sbin/smtpd/smtp_session.c')
-rw-r--r-- | usr.sbin/smtpd/smtp_session.c | 30 |
1 files changed, 14 insertions, 16 deletions
diff --git a/usr.sbin/smtpd/smtp_session.c b/usr.sbin/smtpd/smtp_session.c index f9cf444786d..1af4c6f9776 100644 --- a/usr.sbin/smtpd/smtp_session.c +++ b/usr.sbin/smtpd/smtp_session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smtp_session.c,v 1.421 2020/01/08 00:05:38 gilles Exp $ */ +/* $OpenBSD: smtp_session.c,v 1.422 2020/01/28 21:35:00 gilles Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -2236,25 +2236,23 @@ smtp_mailaddr(struct mailaddr *maddr, char *line, int mailfrom, char **args, memmove(maddr->user, p, strlen(p) + 1); } - if (!valid_localpart(maddr->user) || - !valid_domainpart(maddr->domain)) { - /* accept empty return-path in MAIL FROM, required for bounces */ - if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0') - return (1); + /* accept empty return-path in MAIL FROM, required for bounces */ + if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0') + return (1); - /* no user-part, reject */ - if (maddr->user[0] == '\0') - return (0); - - /* no domain, local user */ - if (maddr->domain[0] == '\0') { - (void)strlcpy(maddr->domain, domain, - sizeof(maddr->domain)); - return (1); - } + /* no or invalid user-part, reject */ + if (maddr->user[0] == '\0' || !valid_localpart(maddr->user)) return (0); + + /* no domain part, local user */ + if (maddr->domain[0] == '\0') { + (void)strlcpy(maddr->domain, domain, + sizeof(maddr->domain)); } + if (!valid_domainpart(maddr->domain)) + return (0); + return (1); } |