From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 2 Sep 2019 21:04:26 +0000 (+0200)
Subject: smtp: check for and bail out on too short EHLO response
X-Git-Tag: curl-7_66_0~19
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4d0306c6982ad80be532438265c52c39a55889a0;p=thirdparty%2Fcurl.git

smtp: check for and bail out on too short EHLO response

Otherwise, a three byte response would make the smtp_state_ehlo_resp()
function misbehave.

Credit to OSS-Fuzz
Bug: https://crbug.com/oss-fuzz/16918

Assisted-by: Max Dymond

Closes #4287
---

diff --git a/lib/smtp.c b/lib/smtp.c
index 0db3c1e1c1..65220b0f68 100644
--- a/lib/smtp.c
+++ b/lib/smtp.c
@@ -714,7 +714,7 @@ static CURLcode smtp_state_ehlo_resp(struct connectdata *conn, int smtpcode,
       result = CURLE_REMOTE_ACCESS_DENIED;
     }
   }
-  else {
+  else if(len >= 4) {
     line += 4;
     len -= 4;
 
@@ -785,6 +785,10 @@ static CURLcode smtp_state_ehlo_resp(struct connectdata *conn, int smtpcode,
         result = smtp_perform_authentication(conn);
     }
   }
+  else {
+    failf(data, "Unexpectedly short EHLO response");
+    result = CURLE_WEIRD_SERVER_REPLY;
+  }
 
   return result;
 }