[exim-dev] [Bug 2634] Taint check (is_tainted) is slightly overzealous

Fri, 21 Aug 2020 09:29:00 -0700 

https://bugs.exim.org/show_bug.cgi?id=2634

Git Commit <[email protected]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[email protected]

--- Comment #3 from Git Commit <[email protected]> ---
Git commit:
https://git.exim.org/exim.git/commitdiff/e0ae68c8ee6788508da4989ee0d6fcbaf40c7b97

commit e0ae68c8ee6788508da4989ee0d6fcbaf40c7b97
Author:     Gavan <[email protected]>
AuthorDate: Fri Aug 21 15:46:01 2020 +0100
Commit:     Jeremy Harris <[email protected]>
CommitDate: Fri Aug 21 15:46:01 2020 +0100

    Taint: fix off-by-one in is_tainted().  Bug 2634
---
 doc/doc-txt/ChangeLog | 5 +++++
 src/src/store.c       | 4 ++--
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index eb64e0a..9048e3f 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -111,6 +111,11 @@ JH/22 Bug 2265: Force SNI usage for smtp transport DANE'd
connections, to be
 JH/23 Logging: with the +tls_sni log_selector, do not wrap the received SNI
       in quotes.

+JH/24 Bug 2634: Fix a taint trap seen on NetBSD: the testing coded for
+      is_tainted() had an off-by-one error in the overenthusiastic direction.
+      Find and fix by Gavan.  Although NetBSD is not a supported platform for
+      4.94 this bug could affect other platforms.
+

 Exim version 4.94
 -----------------
diff --git a/src/src/store.c b/src/src/store.c
index 47d6f91..df7078f 100644
--- a/src/src/store.c
+++ b/src/src/store.c
@@ -188,14 +188,14 @@ for (int pool = POOL_TAINT_BASE; pool < nelem(chainbase);
pool++)
   if ((b = current_block[pool]))
     {
     uschar * bc = US b + ALIGNED_SIZEOF_STOREBLOCK;
-    if (US p >= bc && US p <= bc + b->length) return TRUE;
+    if (US p >= bc && US p < bc + b->length) return TRUE;
     }

 for (int pool = POOL_TAINT_BASE; pool < nelem(chainbase); pool++)
   for (b = chainbase[pool]; b; b = b->next)
     {
     uschar * bc = US b + ALIGNED_SIZEOF_STOREBLOCK;
-    if (US p >= bc && US p <= bc + b->length) return TRUE;
+    if (US p >= bc && US p < bc + b->length) return TRUE;
     }
 return FALSE;
 }

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim 
details at http://www.exim.org/ ##

Reply via email to