Skip to content

Commit 946d304

Browse files
Pavel Siskaxsiska12
Pavel Siska
authored and
xsiska12
committed
smtp: Check payload length during parsing.
1 parent 45b33d9 commit 946d304

File tree

1 file changed

+22
-7
lines changed

1 file changed

+22
-7
lines changed

process/smtp.cpp

Lines changed: 22 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,7 @@
4545
#include <cstring>
4646
#include <ctype.h>
4747

48+
#include "common.hpp"
4849
#include "smtp.hpp"
4950

5051
namespace ipxp {
@@ -273,6 +274,7 @@ bool SMTPPlugin::parse_smtp_command(const char *data, int payload_len, RecordExt
273274
const char *begin, *end;
274275
char buffer[32];
275276
size_t len;
277+
size_t remaining;
276278

277279
if (payload_len == 0) {
278280
return false;
@@ -287,13 +289,13 @@ bool SMTPPlugin::parse_smtp_command(const char *data, int payload_len, RecordExt
287289
}
288290

289291
begin = data;
290-
end = strchr(begin, '\r');
292+
end = static_cast<const char *>(memchr(begin, '\r', payload_len));
291293

292294
len = end - begin;
293295
if (end == nullptr) {
294296
return false;
295297
}
296-
end = strchr(begin, ' ');
298+
end = static_cast<const char *>(memchr(begin, ' ', payload_len));
297299
if (end != nullptr) {
298300
len = end - begin;
299301
}
@@ -307,7 +309,8 @@ bool SMTPPlugin::parse_smtp_command(const char *data, int payload_len, RecordExt
307309
if (!strcmp(buffer, "HELO") || !strcmp(buffer, "EHLO")) {
308310
if (rec->domain[0] == 0 && end != nullptr) {
309311
begin = end;
310-
end = strchr(begin, '\r');
312+
remaining = payload_len - (begin - data);
313+
end = static_cast<const char *>(memchr(begin, '\r', remaining));
311314
if (end != nullptr && begin != NULL) {
312315
begin++;
313316
len = end - begin;
@@ -327,8 +330,14 @@ bool SMTPPlugin::parse_smtp_command(const char *data, int payload_len, RecordExt
327330
} else if (!strcmp(buffer, "RCPT")) {
328331
rec->mail_rcpt_cnt++;
329332
if (rec->first_recipient[0] == 0 && end != nullptr) {
330-
begin = strchr(end + 1, ':');
331-
end = strchr(end, '\r');
333+
if (check_payload_len(payload_len, (end + 1) - data)) {
334+
return false;
335+
}
336+
remaining = payload_len - ((end + 1) - data);
337+
begin = static_cast<const char *>(memchr(end + 1, ':', remaining));
338+
remaining = payload_len - (end - data);
339+
end = static_cast<const char *>(memchr(end, '\r', remaining));
340+
332341
if (end != nullptr && begin != NULL) {
333342
begin++;
334343
len = end - begin;
@@ -344,8 +353,14 @@ bool SMTPPlugin::parse_smtp_command(const char *data, int payload_len, RecordExt
344353
} else if (!strcmp(buffer, "MAIL")) {
345354
rec->mail_cmd_cnt++;
346355
if (rec->first_sender[0] == 0 && end != nullptr) {
347-
begin = strchr(end + 1, ':');
348-
end = strchr(end, '\r');
356+
if (check_payload_len(payload_len, (end + 1) - data)) {
357+
return false;
358+
}
359+
remaining = payload_len - ((end + 1) - data);
360+
begin = static_cast<const char *>(memchr(end + 1, ':', remaining));
361+
remaining = payload_len - (end - data);
362+
end = static_cast<const char *>(memchr(end, '\r', remaining));
363+
349364
if (end != nullptr && begin != NULL) {
350365
begin++;
351366
len = end - begin;

0 commit comments

Comments
 (0)