due to a swapped strlcpy() arguments we don't save the ORCPT argument
after validation. There's no buffer overflow since dsn_orcpt is zeroed.
Spotted by Tassilo Philipp, thanks!
ok millert gilles
-/* $OpenBSD: smtp_session.c,v 1.441 2024/01/28 17:23:17 op Exp $ */
+/* $OpenBSD: smtp_session.c,v 1.442 2024/03/20 17:52:43 op Exp $ */
/*
* Copyright (c) 2008 Gilles Chehade <gilles@poolp.org>
if ((p = strchr(opt, ';')) == NULL ||
!valid_xtext(p + 1) ||
- strlcpy(opt, tx->evp.dsn_orcpt, len) >= len) {
+ strlcpy(tx->evp.dsn_orcpt, opt, len) >= len) {
smtp_reply(tx->session,
"553 ORCPT address syntax error");
return;