Skip to content

Commit 9dcfda0

Browse files
committed
Fix a security vulnerability discovered by Qualys which can lead to a
privileges escalation on mbox deliveries and unprivileged code execution on lmtp deliveries, due to a logic issue causing a sanity check to be missed. ok eric@, millert@
1 parent 23b78d5 commit 9dcfda0

File tree

1 file changed

+14
-16
lines changed

1 file changed

+14
-16
lines changed

Diff for: usr.sbin/smtpd/smtp_session.c

+14-16
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
/* $OpenBSD: smtp_session.c,v 1.421 2020/01/08 00:05:38 gilles Exp $ */
1+
/* $OpenBSD: smtp_session.c,v 1.422 2020/01/28 21:35:00 gilles Exp $ */
22

33
/*
44
* Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
@@ -2236,25 +2236,23 @@ smtp_mailaddr(struct mailaddr *maddr, char *line, int mailfrom, char **args,
22362236
memmove(maddr->user, p, strlen(p) + 1);
22372237
}
22382238

2239-
if (!valid_localpart(maddr->user) ||
2240-
!valid_domainpart(maddr->domain)) {
2241-
/* accept empty return-path in MAIL FROM, required for bounces */
2242-
if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
2243-
return (1);
2239+
/* accept empty return-path in MAIL FROM, required for bounces */
2240+
if (mailfrom && maddr->user[0] == '\0' && maddr->domain[0] == '\0')
2241+
return (1);
22442242

2245-
/* no user-part, reject */
2246-
if (maddr->user[0] == '\0')
2247-
return (0);
2248-
2249-
/* no domain, local user */
2250-
if (maddr->domain[0] == '\0') {
2251-
(void)strlcpy(maddr->domain, domain,
2252-
sizeof(maddr->domain));
2253-
return (1);
2254-
}
2243+
/* no or invalid user-part, reject */
2244+
if (maddr->user[0] == '\0' || !valid_localpart(maddr->user))
22552245
return (0);
2246+
2247+
/* no domain part, local user */
2248+
if (maddr->domain[0] == '\0') {
2249+
(void)strlcpy(maddr->domain, domain,
2250+
sizeof(maddr->domain));
22562251
}
22572252

2253+
if (!valid_domainpart(maddr->domain))
2254+
return (0);
2255+
22582256
return (1);
22592257
}
22602258

0 commit comments

Comments
 (0)