diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2019-09-02 23:04:26 +0200 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2019-09-03 08:25:23 +0200 |
| commit | 4d0306c6982ad80be532438265c52c39a55889a0 (patch) | |
| tree | 82a332eb3444e02c07b306d072148fac2d326c63 | |
| parent | 198b73d12ce36256fb7db85a256920d536b20a72 (diff) | |
| download | curl-4d0306c6982ad80be532438265c52c39a55889a0.tar.gz | |
smtp: check for and bail out on too short EHLO response
Otherwise, a three byte response would make the smtp_state_ehlo_resp()
function misbehave.
Credit to OSS-Fuzz
Bug: https://crbug.com/oss-fuzz/16918
Assisted-by: Max Dymond
Closes #4287
| -rw-r--r-- | lib/smtp.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/lib/smtp.c b/lib/smtp.c index 0db3c1e1c..65220b0f6 100644 --- a/lib/smtp.c +++ b/lib/smtp.c @@ -714,7 +714,7 @@ static CURLcode smtp_state_ehlo_resp(struct connectdata *conn, int smtpcode, result = CURLE_REMOTE_ACCESS_DENIED; } } - else { + else if(len >= 4) { line += 4; len -= 4; @@ -785,6 +785,10 @@ static CURLcode smtp_state_ehlo_resp(struct connectdata *conn, int smtpcode, result = smtp_perform_authentication(conn); } } + else { + failf(data, "Unexpectedly short EHLO response"); + result = CURLE_WEIRD_SERVER_REPLY; + } return result; } |