summaryrefslogtreecommitdiff
path: root/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch
diff options
context:
space:
mode:
Diffstat (limited to 'mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch')
-rw-r--r--mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch64
1 files changed, 64 insertions, 0 deletions
diff --git a/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch
new file mode 100644
index 000000000000..f1df70022e17
--- /dev/null
+++ b/mail-mta/netqmail/files/netqmail-1.06-CVE-2005-1515.patch
@@ -0,0 +1,64 @@
+From 5540e1b47ac043033e6661b4e04dcaf958db0110 Mon Sep 17 00:00:00 2001
+From: Rolf Eike Beer <eike@sf-mail.de>
+Date: Mon, 11 May 2020 18:55:11 +0200
+Subject: [PATCH 1/4] fix signedness wraparound in substdio_put()
+ (CVE-2005-1515)
+
+---
+ qmail.c | 2 +-
+ substdo.c | 14 ++++++++------
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/qmail.c b/qmail.c
+index 186c092..7c86a04 100644
+--- a/qmail.c
++++ b/qmail.c
+@@ -61,7 +61,7 @@ void qmail_fail(qq) struct qmail *qq;
+ qq->flagerr = 1;
+ }
+
+-void qmail_put(qq,s,len) struct qmail *qq; char *s; int len;
++void qmail_put(qq,s,len) struct qmail *qq; char *s; unsigned int len;
+ {
+ if (!qq->flagerr) if (substdio_put(&qq->ss,s,len) == -1) qq->flagerr = 1;
+ }
+diff --git a/substdo.c b/substdo.c
+index fb616f7..bccf0d6 100644
+--- a/substdo.c
++++ b/substdo.c
+@@ -7,7 +7,7 @@ static int allwrite(op,fd,buf,len)
+ register int (*op)();
+ register int fd;
+ register char *buf;
+-register int len;
++register unsigned int len;
+ {
+ register int w;
+
+@@ -55,16 +55,18 @@ register int len;
+ int substdio_put(s,buf,len)
+ register substdio *s;
+ register char *buf;
+-register int len;
++register unsigned int len;
+ {
+- register int n;
++ register unsigned int n = s->n; /* how many bytes to write in next chunk */
+
+- n = s->n;
+- if (len > n - s->p) {
++ /* check if the input would fit in the buffer without flushing */
++ if (len > n - (unsigned int)s->p) {
+ if (substdio_flush(s) == -1) return -1;
+ /* now s->p == 0 */
+ if (n < SUBSTDIO_OUTSIZE) n = SUBSTDIO_OUTSIZE;
+- while (len > s->n) {
++ /* as long as the remainder would not fit into s->x write it directly
++ * from buf to s->fd. */
++ while (len > (unsigned int)s->n) {
+ if (n > len) n = len;
+ if (allwrite(s->op,s->fd,buf,n) == -1) return -1;
+ buf += n;
+--
+2.26.1
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-24 07:52:29 +0000