Mailing List Archive

[Bug 2409] Callout verification response buffer with non-ASCII characters is returned in the user message
https://bugs.exim.org/show_bug.cgi?id=2409

--- Comment #1 from Simon Arlott <bugzilla.exim.simon@arlott.org> ---
It looks like the reason I'm getting non-ASCII data in sx.buffer is because
it's never initialised and never used because of the failure to start TLS in
SMTPS mode, so the first character of the buffer needs to be initialised to 0
in case it's not used.

This doesn't prevent the remote server from sending us non-ASCII data that we
then relay in the verification message.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2409] Callout verification response buffer with non-ASCII characters is returned in the user message [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2409

--- Comment #2 from Jeremy Harris <jgh146exb@wizmail.org> ---
(In reply to Simon Arlott from comment #0)
> addr->user_message = options & vopt_is_recipient
> ? string_sprintf("Callout verification failed:\n%s", sx.buffer)
> : string_sprintf("Called: %s\nSent: %s\nResponse: %s",
> host->address, big_buffer, sx.buffer);

Assuming this is verify.c line 1004, in 4.92, you shouldn't be hitting that
code. Errno should be ERRNO_TLSFAILURE, set at smtp.c line 2505.
What have I missed?

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2409] Callout verification response buffer with non-ASCII characters is returned in the user message [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2409

--- Comment #3 from Simon Arlott <bugzilla.exim.simon@arlott.org> ---
The error scenario with SMTPS only occurs on 4.86.2, but it's only one way that
non-ASCII data could get into sx.buffer.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2409] Callout verification response buffer with non-ASCII characters is returned in the user message [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2409

Jeremy Harris <jgh146exb@wizmail.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED

--- Comment #4 from Jeremy Harris <jgh146exb@wizmail.org> ---
Closing since, as described, does not apply to the version for which it was
raised.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
[Bug 2409] Callout verification response buffer with non-ASCII characters is returned in the user message [ In reply to ]
https://bugs.exim.org/show_bug.cgi?id=2409

Simon Arlott <bugzilla.exim.simon@arlott.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|INVALID |---
Status|RESOLVED |REOPENED

--- Comment #5 from Simon Arlott <bugzilla.exim.simon@arlott.org> ---
As I stated, that is only one way in which this can happen.

There is no protection against reading non-ASCII SMTP responses and then
repeating them in the callout message. The only requirement on reading an SMTP
response is that the first 4 characters are correct.

--
You are receiving this mail because:
You are on the CC list for the bug.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##