diff options
Diffstat (limited to 'mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch')
-rw-r--r-- | mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch new file mode 100644 index 000000000000..f1df70022e17 --- /dev/null +++ b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch @@ -0,0 +1,64 @@ +From 5540e1b47ac043033e6661b4e04dcaf958db0110 Mon Sep 17 00:00:00 2001 +From: Rolf Eike Beer <eike@sf-mail.de> +Date: Mon, 11 May 2020 18:55:11 +0200 +Subject: [PATCH 1/4] fix signedness wraparound in substdio_put() + (CVE-2005-1515) + +--- + qmail.c | 2 +- + substdo.c | 14 ++++++++------ + 2 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/qmail.c b/qmail.c +index 186c092..7c86a04 100644 +--- a/qmail.c ++++ b/qmail.c +@@ -61,7 +61,7 @@ void qmail_fail(qq) struct qmail *qq; + qq->flagerr = 1; + } + +-void qmail_put(qq,s,len) struct qmail *qq; char *s; int len; ++void qmail_put(qq,s,len) struct qmail *qq; char *s; unsigned int len; + { + if (!qq->flagerr) if (substdio_put(&qq->ss,s,len) == -1) qq->flagerr = 1; + } +diff --git a/substdo.c b/substdo.c +index fb616f7..bccf0d6 100644 +--- a/substdo.c ++++ b/substdo.c +@@ -7,7 +7,7 @@ static int allwrite(op,fd,buf,len) + register int (*op)(); + register int fd; + register char *buf; +-register int len; ++register unsigned int len; + { + register int w; + +@@ -55,16 +55,18 @@ register int len; + int substdio_put(s,buf,len) + register substdio *s; + register char *buf; +-register int len; ++register unsigned int len; + { +- register int n; ++ register unsigned int n = s->n; /* how many bytes to write in next chunk */ + +- n = s->n; +- if (len > n - s->p) { ++ /* check if the input would fit in the buffer without flushing */ ++ if (len > n - (unsigned int)s->p) { + if (substdio_flush(s) == -1) return -1; + /* now s->p == 0 */ + if (n < SUBSTDIO_OUTSIZE) n = SUBSTDIO_OUTSIZE; +- while (len > s->n) { ++ /* as long as the remainder would not fit into s->x write it directly ++ * from buf to s->fd. */ ++ while (len > (unsigned int)s->n) { + if (n > len) n = len; + if (allwrite(s->op,s->fd,buf,n) == -1) return -1; + buf += n; +-- +2.26.1 + |