From: Stephan Bosch Date: Fri, 11 Sep 2020 19:53:06 +0000 (+0200) Subject: lib-smtp: smtp-command-parser - Fix read past buffer limit while parsing UTF-8 character. X-Git-Tag: 2.3.13~163 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1ae3ca298803dc64cfbe278ba93bccb8c203b81f;p=thirdparty%2Fdovecot%2Fcore.git lib-smtp: smtp-command-parser - Fix read past buffer limit while parsing UTF-8 character. The buffer limit was specified as (buf->pos - buf->end) rather than (buf->end - buf->pos). Since at most a valid UTF-8 character can be read beyond the buffer size, this bug didn't cause noticeable effects, nor does it present an attack surface. --- diff --git a/src/lib-smtp/smtp-command-parser.c b/src/lib-smtp/smtp-command-parser.c index 3c4860c0a2..f60461e8d1 100644 --- a/src/lib-smtp/smtp-command-parser.c +++ b/src/lib-smtp/smtp-command-parser.c @@ -180,7 +180,7 @@ static int smtp_command_parse_parameters(struct smtp_command_parser *parser) if (parser->auth_response) ch = *p; else { - nch = uni_utf8_get_char_n(p, (size_t)(p - parser->end), + nch = uni_utf8_get_char_n(p, (size_t)(parser->end - p), &ch); } if (nch == 0)