summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2019-09-02 23:04:26 +0200
committerDaniel Stenberg <daniel@haxx.se>2019-09-02 23:04:26 +0200
commitf747b3ae38be34793d705e21853b2ecb7cb12c19 (patch)
treeb991b447d5d79bb94133129774478dcc1007254b
parent82a2168e61cfb643efc36ecc726828ff0da37f49 (diff)
downloadcurl-bagder/smtp-short-ehlo.tar.gz
smtp: check for and bail out on too short EHLO responsebagder/smtp-short-ehlo
Otherwise, a three byte response would make the smtp_state_ehlo_resp() function misbehave. Bug: https://crbug.com/oss-fuzz/16918 Assisted-by: Max Dymond
-rw-r--r--lib/smtp.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/smtp.c b/lib/smtp.c
index 0db3c1e1c..65220b0f6 100644
--- a/lib/smtp.c
+++ b/lib/smtp.c
@@ -714,7 +714,7 @@ static CURLcode smtp_state_ehlo_resp(struct connectdata *conn, int smtpcode,
result = CURLE_REMOTE_ACCESS_DENIED;
}
}
- else {
+ else if(len >= 4) {
line += 4;
len -= 4;
@@ -785,6 +785,10 @@ static CURLcode smtp_state_ehlo_resp(struct connectdata *conn, int smtpcode,
result = smtp_perform_authentication(conn);
}
}
+ else {
+ failf(data, "Unexpectedly short EHLO response");
+ result = CURLE_WEIRD_SERVER_REPLY;
+ }
return result;
}