From: Philippe Antoine <contact@catenacyber.fr>
Date: Thu, 22 Apr 2021 08:28:15 +0000 (+0200)
Subject: smtp: null terminate before calling strtoul
X-Git-Tag: suricata-5.0.7~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d0dc72e4e5b6d4bac15fb6e0df490efe88e9bb8d;p=thirdparty%2Fsuricata.git

smtp: null terminate before calling strtoul

by copying in a temporary buffer
as is done in ByteExtractString

(cherry picked from commit 33fa7ab5969d3fc5ca088c003bd4dbfe76d77b6b)
---

diff --git a/src/app-layer-smtp.c b/src/app-layer-smtp.c
index e1f2ffb0c9..083a8398a0 100644
--- a/src/app-layer-smtp.c
+++ b/src/app-layer-smtp.c
@@ -1108,7 +1108,15 @@ static int SMTPParseCommandBDAT(SMTPState *state)
         return -1;
     }
     char *endptr = NULL;
-    state->bdat_chunk_len = strtoul((const char *)state->current_line + i,
+    // copy in temporary null-terminated buffer to call strtoul
+    char strbuf[24];
+    int len = 23;
+    if (state->current_line_len - i < len) {
+        len = state->current_line_len - i;
+    }
+    memcpy(strbuf, (const char *)state->current_line + i, len);
+    strbuf[len] = '\0';
+    state->bdat_chunk_len = strtoul((const char *)strbuf,
                                     (char **)&endptr, 10);
     if ((uint8_t *)endptr == state->current_line + i) {
         /* decoder event */