From: Wietse Venema Date: Sat, 6 Jan 2024 05:00:00 +0000 (-0500) Subject: postfix-3.9-20240106 X-Git-Tag: v3.9.0~21 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bcca0a352314d7704d4f9773a788f218a420ef37;p=thirdparty%2Fpostfix.git postfix-3.9-20240106 --- diff --git a/postfix/HISTORY b/postfix/HISTORY index d6e357af4..ec655022f 100644 --- a/postfix/HISTORY +++ b/postfix/HISTORY @@ -27661,8 +27661,8 @@ Apologies for any names omitted. and "normalize". The default setting "normalize" (and "yes") will accept bare newlines from local or remote SMTP clients, but if any DATA content line ends in , require the - standard End-of-DATA form . and skip plus - log non-standard End-of-DATA forms. This may fail to receive + standard End-of-DATA form . and skip + non-standard End-of-DATA forms. This may fail to receive email from legitimate clients that send a mix of lines ending in and . If such clients exist, they need to be excluded with smtpd_forbid_bare_newline_exclusions. @@ -27672,3 +27672,16 @@ Apologies for any names omitted. Tooling: mantools/dehtml was breaking words in code examples, causing false spellchecker errors. File: mantools/dehtml, proto/stop.double-proto-html. + +20240105 + + Cleanup: don't spam the log with unexpected End-of-DATA + forms. Files: proto/postconf.proto, smtpd/smtpd.c, + RELEASE_NOTES. + +20240106 + + Bugfix: with smtpd_forbid_bare_newline enabled, do not + "strip" extra characters before . This avoids + ambiguity when a client sends extra characters as in + .. File: global/smtp_stream.c. diff --git a/postfix/RELEASE_NOTES b/postfix/RELEASE_NOTES index d5b101140..5ead75a50 100644 --- a/postfix/RELEASE_NOTES +++ b/postfix/RELEASE_NOTES @@ -32,8 +32,13 @@ Major changes with snapshot 20240102 This updates Postfix fixes for SMTP smuggling attacks, For background, see https://www.postfix.org/smtp-smuggling.html -This release improves configuration (see below) and logging (it now -includes helo, mail, and rcpt information if available). +This release improves configuration (see below) and logging for rejected +input (it now includes helo, mail, and rcpt information if available). +This will be back ported to Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24. + +- Stricter enforcement of .; earlier versions ignored + extra before , causing ambiguity about what the client + actually sent. - The new setting "smtpd_forbid_bare_newline = normalize" allows bare newlines from local and remote SMTP clients that send bare @@ -52,30 +57,29 @@ The recommended Postfix 3.9 settings (i.e. the defaults) are now: # Allow bare newlines from local and remote SMTP clients. If any DATA # content line ends in , require the standard End-of-DATA form - # . and skip non-standard End-of-DATA forms with - # logging that looks like: - # - # skipping unexpected . in DATA from... - # skipping unexpected . in DATA from... + # ., and skip other End-of-DATA forms. # - # This may fail to receive email from legitimate clients that send a - # mix of lines ending in and . If such clients exist, - # they need to be excluded with smtpd_forbid_bare_newline_exclusions. + # This may cause problems for legitimate clients that send + # non-standard line endings such web applications, netcat, fax + # machines, or load balancer health checks. Such clients need to be + # excluded with smtpd_forbid_bare_newline_exclusions. # smtpd_forbid_bare_newline = normalize smtpd_forbid_bare_newline_exclusions = $mynetworks Alternative settings: - # Reject bare newlines from remote SMTP clients, but allow them from - # local non-standard clients such as netcat, fax machines, or load - # balancer health checks. + # Reject bare newlines from remote SMTP clients. Require the standard + # End-of-DATA form .. + # + # This will cause problems for legitimate clients that send + # non-standard line endings such web applications, netcat, fax + # machines, or load balancer health checks. Such clients need to be + # excluded with smtpd_forbid_bare_newline_exclusions. # smtpd_forbid_bare_newline = reject smtpd_forbid_bare_newline_exclusions = $mynetworks -This will be back ported to Postfix 3.8.5, 3.7.10, 3.6.14, and 3.5.24. - Incompatible changes with snapshot 20231221 =========================================== diff --git a/postfix/html/postconf.5.html b/postfix/html/postconf.5.html index 449e10ba3..225df2cbe 100644 --- a/postfix/html/postconf.5.html +++ b/postfix/html/postconf.5.html @@ -15924,10 +15924,10 @@ This feature is available in Postfix 2.0 and later.
smtpd_forbid_bare_newline (default: Postfix ≥ 3.9: normalize)
-

Disconnect, reject, or normalize commands and email message -content when a remote SMTP client sends lines ending in <LF>. -Such line endings are commonly allowed with UNIX-based SMTP servers, -but they violate the RFC 5321 requirement that lines must end in +

Reject or normalize commands and email message content when a +remote SMTP client sends lines ending in <LF>. Such line +endings are commonly allowed with UNIX-based SMTP servers, but they +violate the RFC 5321 requirement that lines must end in <CR><LF>. <.p>

Specify one of the following values (case does not matter):

@@ -15938,29 +15938,25 @@ but they violate the RFC 5321 SMTP clients that send lines ending in the non-standard <LF>, and treat those line endings as if the client sent the standard <CR><LF>. However, if an SMTP client sends any DATA -content line ending in the standard <CR><LF>, support -only the standard End-of-DATA form -<CR><LF>.<CR><LF>, and skip non-standard -End-of-DATA forms after logging them as: -
-
-skipping unexpected <LF>.<LF> in DATA from...
-skipping unexpected <LF>.<CR><LF> in DATA from...
-
-
-This may fail to receive email from legitimate SMTP clients that -send DATA content with a mix of line endings. Such clients need -to be excluded with smtpd_forbid_bare_newline_exclusions.
+content line ending in the standard <CR><LF>, require +the standard End-of-DATA form <CR><LF>.<CR><LF>, +and skip non-standard End-of-DATA forms.
This may fail to +receive email from legitimate SMTP clients that send non-standard +line endings such web applications, netcat, fax machines, or load +balancer health checks. Such clients need to be excluded with +smtpd_forbid_bare_newline_exclusions.
yes
Alias for "normalize".
reject
When an SMTP client sends a command or message content line ending in <LF>, log a "bare <LF> -received" error, and reject the command or message content with -smtpd_forbid_bare_newline_reject_code. This will fail to receive -email from legitimate SMTP clients that send command or message -content with lines ending in <LF>. Such clients need to be -excluded with smtpd_forbid_bare_newline_exclusions.
+received" error, reject the command or message content with +smtpd_forbid_bare_newline_reject_code, and require the standard +End-of-DATA form <CR><LF>.<CR><LF>.
+This will fail to receive email from legitimate SMTP clients that +send non-standard line endings such web applications, netcat, fax +machines, or load balancer health checks. Such clients need to be +excluded with smtpd_forbid_bare_newline_exclusions.
no
Treat all lines ending in <LF> as if the client sent <CR><LF>. This option is fully @@ -15975,12 +15971,14 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling. 
-# Allow bare newlines from local and remote SMTP clients. If any
-# DATA content line ends in <CR><LF>, require the standard End-of-DATA
-# form <CR><LF>.<CR><LF> and skip plus log non-standard forms.
-# This may fail to receive email from legitimate clients that send a
-# mix of lines ending in <LF> and <CR><LF>. If such clients exist,
-# they need to be excluded with smtpd_forbid_bare_newline_exclusions.
+# Allow bare newlines from local and remote SMTP clients. If any DATA
+# content line ends in <CR><LF>, require the standard End-of-DATA form
+# <CR><LF>.<CR><LF> and skip other End-of-DATA forms.
+#
+# This may cause problems for legitimate clients that send
+# non-standard line endings such as web applications, netcat, fax
+# machines, or load balancer health checks. Such clients need to be
+# excluded with smtpd_forbid_bare_newline_exclusions.
 #
 smtpd_forbid_bare_newline = normalize
 smtpd_forbid_bare_newline_exclusions = $mynetworks
@@ -15989,9 +15987,13 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling.
 
 

 
-# Reject bare newlines from remote SMTP clients, but allow them from
-# local non-standard clients such as netcat, fax machines, or load
-# balancer health checks.
+# Reject bare newlines from remote SMTP clients. Require the standard
+# End-of-DATA form <CR><LF>.<CR><LF>.
+#
+# This will cause problems for legitimate clients that send
+# non-standard line endings such as web applications, netcat, fax
+# machines, or load balancer health checks. Such clients need to be
+# excluded with smtpd_forbid_bare_newline_exclusions.
 #
 smtpd_forbid_bare_newline = reject
 smtpd_forbid_bare_newline_exclusions = $mynetworks
diff --git a/postfix/html/smtpd.8.html b/postfix/html/smtpd.8.html
index c48c494c3..cfeeed982 100644
--- a/postfix/html/smtpd.8.html
+++ b/postfix/html/smtpd.8.html
@@ -998,8 +998,8 @@ SMTPD(8)                                                              SMTPD(8)
        Available in Postfix 3.9, 3.8.4, 3.7.9, 3.6.13, 3.5.23 and later:
 
        smtpd_forbid_bare_newline (Postfix >= 3.9: normalize)
-              Disconnect, reject, or normalize commands and email message con-
-              tent when a remote SMTP client sends lines ending in <LF>.
+              Reject  or  normalize  commands and email message content when a
+              remote SMTP client sends lines ending in <LF>.
 
        smtpd_forbid_bare_newline_exclusions ($mynetworks)
               Exclude the  specified  clients  from  smtpd_forbid_bare_newline
diff --git a/postfix/man/man5/postconf.5 b/postfix/man/man5/postconf.5
index 6d7d45177..0de744d6b 100644
--- a/postfix/man/man5/postconf.5
+++ b/postfix/man/man5/postconf.5
@@ -11004,10 +11004,10 @@ parameter $name expansion.
 .PP
 This feature is available in Postfix 2.0 and later.
 .SH smtpd_forbid_bare_newline (default: Postfix >= 3.9: normalize)
-Disconnect, reject, or normalize commands and email message
-content when a remote SMTP client sends lines ending in .
-Such line endings are commonly allowed with UNIX\-based SMTP servers,
-but they violate the RFC 5321 requirement that lines must end in
+Reject or normalize commands and email message content when a
+remote SMTP client sends lines ending in . Such line
+endings are commonly allowed with UNIX\-based SMTP servers, but they
+violate the RFC 5321 requirement that lines must end in
 . <.p>
 .PP
 Specify one of the following values (case does not matter):
@@ -11016,24 +11016,15 @@ Maintain compatibility with legacy
 SMTP clients that send lines ending in the non\-standard ,
 and treat those line endings as if the client sent the standard
 . However, if an SMTP client sends any DATA
-content line ending in the standard , support
-only the standard End\-of\-DATA form
-., and skip non\-standard
-End\-of\-DATA forms after logging them as:
-.sp
-.in +4
-.nf
-.na
-.ft C
-skipping unexpected . in DATA from...
-skipping unexpected . in DATA from...
-.fi
-.ad
-.ft R
-.in -4
-This may fail to receive email from legitimate SMTP clients that
-send DATA content with a mix of line endings. Such clients need
-to be excluded with smtpd_forbid_bare_newline_exclusions.
+content line ending in the standard , require
+the standard End\-of\-DATA form .,
+and skip non\-standard End\-of\-DATA forms.
+.br
+This may fail to
+receive email from legitimate SMTP clients that send non\-standard
+line endings such web applications, netcat, fax machines, or load
+balancer health checks. Such clients need to be excluded with
+smtpd_forbid_bare_newline_exclusions.
 .br
 .IP "\fByes\fR"
 Alias for "normalize".
@@ -11041,10 +11032,13 @@ Alias for "normalize".
 .IP "\fBreject\fR"
 When an SMTP client sends a command
 or message content line ending in , log a "bare 
-received" error, and reject the command or message content with
-smtpd_forbid_bare_newline_reject_code. This will fail to receive
-email from legitimate SMTP clients that send command or message
-content with lines ending in . Such clients need to be
+received" error, reject the command or message content with
+smtpd_forbid_bare_newline_reject_code, and require the standard
+End\-of\-DATA form ..
+.br
+This will fail to receive email from legitimate SMTP clients that
+send non\-standard line endings such web applications, netcat, fax
+machines, or load balancer health checks. Such clients need to be
 excluded with smtpd_forbid_bare_newline_exclusions.
 .br
 .IP "\fBno\fR"
@@ -11061,12 +11055,14 @@ Examples:
 .nf
 .na
 .ft C
-# Allow bare newlines from local and remote SMTP clients. If any
-# DATA content line ends in , require the standard End\-of\-DATA
-# form . and skip plus log non\-standard forms.
-# This may fail to receive email from legitimate clients that send a
-# mix of lines ending in  and . If such clients exist,
-# they need to be excluded with smtpd_forbid_bare_newline_exclusions.
+# Allow bare newlines from local and remote SMTP clients. If any DATA
+# content line ends in , require the standard End\-of\-DATA form
+# . and skip other End\-of\-DATA forms.
+#
+# This may cause problems for legitimate clients that send
+# non\-standard line endings such as web applications, netcat, fax
+# machines, or load balancer health checks. Such clients need to be
+# excluded with smtpd_forbid_bare_newline_exclusions.
 #
 smtpd_forbid_bare_newline = normalize
 smtpd_forbid_bare_newline_exclusions = $mynetworks
@@ -11079,9 +11075,13 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks
 .nf
 .na
 .ft C
-# Reject bare newlines from remote SMTP clients, but allow them from
-# local non\-standard clients such as netcat, fax machines, or load
-# balancer health checks.
+# Reject bare newlines from remote SMTP clients. Require the standard
+# End\-of\-DATA form ..
+#
+# This will cause problems for legitimate clients that send
+# non\-standard line endings such as web applications, netcat, fax
+# machines, or load balancer health checks. Such clients need to be
+# excluded with smtpd_forbid_bare_newline_exclusions.
 #
 smtpd_forbid_bare_newline = reject
 smtpd_forbid_bare_newline_exclusions = $mynetworks
diff --git a/postfix/man/man8/smtpd.8 b/postfix/man/man8/smtpd.8
index 25b1f48a4..b068d8133 100644
--- a/postfix/man/man8/smtpd.8
+++ b/postfix/man/man8/smtpd.8
@@ -871,8 +871,8 @@ command pipelining constraints.
 .PP
 Available in Postfix 3.9, 3.8.4, 3.7.9, 3.6.13, 3.5.23 and later:
 .IP "\fBsmtpd_forbid_bare_newline (Postfix >= 3.9: normalize)\fR"
-Disconnect, reject, or normalize commands and email message
-content when a remote SMTP client sends lines ending in .
+Reject or normalize commands and email message content when a
+remote SMTP client sends lines ending in .
 .IP "\fBsmtpd_forbid_bare_newline_exclusions ($mynetworks)\fR"
 Exclude the specified clients from smtpd_forbid_bare_newline
 enforcement.
diff --git a/postfix/proto/postconf.proto b/postfix/proto/postconf.proto
index f0b835099..bbc3c77ba 100644
--- a/postfix/proto/postconf.proto
+++ b/postfix/proto/postconf.proto
@@ -19068,10 +19068,10 @@ MinProtocol = TLSv1
 
 %PARAM smtpd_forbid_bare_newline Postfix ≥ 3.9: normalize
 
-
 Disconnect, reject, or normalize commands and email message
-content when a remote SMTP client sends lines ending in <LF>.
-Such line endings are commonly allowed with UNIX-based SMTP servers,
-but they violate the RFC 5321 requirement that lines must end in
+
 Reject or normalize commands and email message content when a
+remote SMTP client sends lines ending in <LF>. Such line
+endings are commonly allowed with UNIX-based SMTP servers, but they
+violate the RFC 5321 requirement that lines must end in
 <CR><LF>. <.p>
 
 
 Specify one of the following values (case does not matter): 

@@ -19082,29 +19082,25 @@ but they violate the RFC 5321 requirement that lines must end in
 SMTP clients that send lines ending in the non-standard <LF>,
 and treat those line endings as if the client sent the standard
 <CR><LF>. However, if an SMTP client sends any DATA
-content line ending in the standard <CR><LF>, support
-only the standard End-of-DATA form
-<CR><LF>.<CR><LF>, and skip non-standard
-End-of-DATA forms after logging them as:
-

-
-skipping unexpected <LF>.<LF> in DATA from...
-skipping unexpected <LF>.<CR><LF> in DATA from...
-

-

-This may fail to receive email from legitimate SMTP clients that
-send DATA content with a mix of line endings. Such clients need
-to be excluded with smtpd_forbid_bare_newline_exclusions.
+content line ending in the standard <CR><LF>, require +the standard End-of-DATA form <CR><LF>.<CR><LF>, +and skip non-standard End-of-DATA forms.
This may fail to +receive email from legitimate SMTP clients that send non-standard +line endings such web applications, netcat, fax machines, or load +balancer health checks. Such clients need to be excluded with +smtpd_forbid_bare_newline_exclusions.
yes
Alias for "normalize".
reject
When an SMTP client sends a command or message content line ending in <LF>, log a "bare <LF> -received" error, and reject the command or message content with -smtpd_forbid_bare_newline_reject_code. This will fail to receive -email from legitimate SMTP clients that send command or message -content with lines ending in <LF>. Such clients need to be -excluded with smtpd_forbid_bare_newline_exclusions.
+received" error, reject the command or message content with +smtpd_forbid_bare_newline_reject_code, and require the standard +End-of-DATA form <CR><LF>.<CR><LF>.
+This will fail to receive email from legitimate SMTP clients that +send non-standard line endings such web applications, netcat, fax +machines, or load balancer health checks. Such clients need to be +excluded with smtpd_forbid_bare_newline_exclusions.
no
Treat all lines ending in <LF> as if the client sent <CR><LF>. This option is fully @@ -19119,12 +19115,14 @@ href="https://www.postfix.org/smtp-smuggling.html"> SMTP smuggling. 
-# Allow bare newlines from local and remote SMTP clients. If any
-# DATA content line ends in <CR><LF>, require the standard End-of-DATA
-# form <CR><LF>.<CR><LF> and skip plus log non-standard forms.
-# This may fail to receive email from legitimate clients that send a
-# mix of lines ending in <LF> and <CR><LF>. If such clients exist,
-# they need to be excluded with smtpd_forbid_bare_newline_exclusions.
+# Allow bare newlines from local and remote SMTP clients. If any DATA
+# content line ends in <CR><LF>, require the standard End-of-DATA form
+# <CR><LF>.<CR><LF> and skip other End-of-DATA forms.
+#
+# This may cause problems for legitimate clients that send
+# non-standard line endings such as web applications, netcat, fax
+# machines, or load balancer health checks. Such clients need to be
+# excluded with smtpd_forbid_bare_newline_exclusions.
 #
 smtpd_forbid_bare_newline = normalize
 smtpd_forbid_bare_newline_exclusions = $mynetworks
@@ -19133,9 +19131,13 @@ smtpd_forbid_bare_newline_exclusions = $mynetworks
 
 

 
-# Reject bare newlines from remote SMTP clients, but allow them from
-# local non-standard clients such as netcat, fax machines, or load
-# balancer health checks.
+# Reject bare newlines from remote SMTP clients. Require the standard
+# End-of-DATA form <CR><LF>.<CR><LF>.
+#
+# This will cause problems for legitimate clients that send
+# non-standard line endings such as web applications, netcat, fax
+# machines, or load balancer health checks. Such clients need to be
+# excluded with smtpd_forbid_bare_newline_exclusions.
 #
 smtpd_forbid_bare_newline = reject
 smtpd_forbid_bare_newline_exclusions = $mynetworks
diff --git a/postfix/proto/stop.double-history b/postfix/proto/stop.double-history
index 7b32c1fda..aaca3c976 100644
--- a/postfix/proto/stop.double-history
+++ b/postfix/proto/stop.double-history
@@ -88,3 +88,5 @@ proto  proto aliases proto virtual proto ADDRESS_REWRITING_README html
  smtpd smtpd c global smtp_stream hc global cleanup_user h 
  smtpd smtpd c smtpd smtpd_check c 
  keep reading message content after an unexpected LF LF 
+ forms Files proto postconf proto smtpd smtpd c 
+ CR LF CR CR LF File global smtp_stream c 
diff --git a/postfix/src/global/mail_version.h b/postfix/src/global/mail_version.h
index b2f0c7999..d11250180 100644
--- a/postfix/src/global/mail_version.h
+++ b/postfix/src/global/mail_version.h
@@ -20,7 +20,7 @@
   * Patches change both the patchlevel and the release date. Snapshots have no
   * patchlevel; they change the release date only.
   */
-#define MAIL_RELEASE_DATE	"20240104"
+#define MAIL_RELEASE_DATE	"20240106"
 #define MAIL_VERSION_NUMBER	"3.9"
 
 #ifdef SNAPSHOT
diff --git a/postfix/src/global/smtp_stream.c b/postfix/src/global/smtp_stream.c
index b22d245a1..769b9c081 100644
--- a/postfix/src/global/smtp_stream.c
+++ b/postfix/src/global/smtp_stream.c
@@ -431,11 +431,15 @@ int     smtp_get_noexcept(VSTRING *vp, VSTREAM *stream, ssize_t bound, int flags
 	 */
     case '\n':
 	vstring_truncate(vp, VSTRING_LEN(vp) - 1);
-	if (smtp_forbid_bare_lf
-	    && (VSTRING_LEN(vp) == 0 || vstring_end(vp)[-1] != '\r'))
-	    smtp_seen_bare_lf = smtp_forbid_bare_lf;
-	while (VSTRING_LEN(vp) > 0 && vstring_end(vp)[-1] == '\r')
-	    vstring_truncate(vp, VSTRING_LEN(vp) - 1);
+	if (smtp_forbid_bare_lf) {
+	    if (VSTRING_LEN(vp) == 0 || vstring_end(vp)[-1] != '\r')
+		smtp_seen_bare_lf = smtp_forbid_bare_lf;
+	    else
+		vstring_truncate(vp, VSTRING_LEN(vp) - 1);
+	} else {
+	    while (VSTRING_LEN(vp) > 0 && vstring_end(vp)[-1] == '\r')
+		vstring_truncate(vp, VSTRING_LEN(vp) - 1);
+	}
 	VSTRING_TERMINATE(vp);
 	/* FALLTRHOUGH */
 
diff --git a/postfix/src/smtpd/smtpd.c b/postfix/src/smtpd/smtpd.c
index 1fe3b003c..86c7c84d6 100644
--- a/postfix/src/smtpd/smtpd.c
+++ b/postfix/src/smtpd/smtpd.c
@@ -825,8 +825,8 @@
 /* .PP
 /*	Available in Postfix 3.9, 3.8.4, 3.7.9, 3.6.13, 3.5.23 and later:
 /* .IP "\fBsmtpd_forbid_bare_newline (Postfix >= 3.9: normalize)\fR"
-/*	Disconnect, reject, or normalize commands and email message
-/*	content when a remote SMTP client sends lines ending in .
+/*	Reject or normalize commands and email message content when a
+/*	remote SMTP client sends lines ending in .
 /* .IP "\fBsmtpd_forbid_bare_newline_exclusions ($mynetworks)\fR"
 /*	Exclude the specified clients from smtpd_forbid_bare_newline
 /*	enforcement.
@@ -3623,7 +3623,7 @@ static void receive_data_message(SMTPD_STATE *state,
     int     prev_rec_type;
     int     first = 1;
     int     prev_seen_bare_lf = 0;
-    int     expect_crlf_dot = 0;
+    int     expect_crlf_dot = IS_BARE_LF_REJECT(smtp_forbid_bare_lf);
 
     /*
      * If deadlines are enabled, increase the time budget as message content
@@ -3667,14 +3667,9 @@ static void receive_data_message(SMTPD_STATE *state,
 		out_record(out_stream, REC_TYPE_NORM, "", 0);
 	}
 	if (prev_rec_type != REC_TYPE_CONT && *start == '.') {
-	    if (len == 1 && prev_seen_bare_lf && expect_crlf_dot) {
-		if (IS_BARE_LF_NORMALIZE(prev_seen_bare_lf))
-		    msg_info("%s: skipping unexpected .%s in DATA from %s",
-			     state->queue_id ? state->queue_id : "NOQUEUE",
-			     smtp_seen_bare_lf ? "" : "",
-			     state->namaddr);
+	    if (len == 1 && expect_crlf_dot
+		&& (smtp_seen_bare_lf || prev_seen_bare_lf))
 		continue;
-	    }
 	    if (proxy == 0 ? (++start, --len) == 0 : len == 1)
 		break;
 	}