[Fix] Fix sanity checks on macro value

Issue: #1998
MFH: rspamd-1.6

diff --git a/src/libserver/milter.c b/src/libserver/milter.c
index 511655e926436d6232fade0344d958f94499f097..6fc4892ee62d0fbeca34eb801056ab83e94639c9 100644 (file)
--- a/src/libserver/milter.c
+++ b/src/libserver/milter.c
@@ -450,7 +450,7 @@ rspamd_milter_process_command (struct rspamd_milter_session *session,
                while (pos < end) {
                        zero = memchr (pos, '\0', cmdlen);
 
-                       if (zero == NULL) {
+                       if (zero == NULL || end >= zero) {
                                err = g_error_new (rspamd_milter_quark (), EINVAL, "invalid "
                                                "macro command (no name)");
                                rspamd_milter_on_protocol_error (session, priv, err);
@@ -462,9 +462,9 @@ rspamd_milter_process_command (struct rspamd_milter_session *session,
                                rspamd_ftok_t *name_tok, *value_tok;
                                const guchar *zero_val;
 
-                               zero_val = memchr (zero + 1, '\0', cmdlen);
+                               zero_val = memchr (zero + 1, '\0', cmdlen - (end - zero));
 
-                               if (end > zero_val) {
+                               if (zero_val != NULL && end > zero_val) {
                                        name = rspamd_fstring_new_init (pos, zero - pos);
                                        value = rspamd_fstring_new_init (zero + 1,
                                                        zero_val - zero - 1);