From 90974261b712a8af65d8411c21445ad02392c876 Mon Sep 17 00:00:00 2001 From: op Date: Wed, 20 Mar 2024 17:52:43 +0000 Subject: [PATCH] fix ORCPT handling due to a swapped strlcpy() arguments we don't save the ORCPT argument after validation. There's no buffer overflow since dsn_orcpt is zeroed. Spotted by Tassilo Philipp, thanks! ok millert gilles --- usr.sbin/smtpd/smtp_session.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/usr.sbin/smtpd/smtp_session.c b/usr.sbin/smtpd/smtp_session.c index 3a99cb4f6b9..b72d2959182 100644 --- a/usr.sbin/smtpd/smtp_session.c +++ b/usr.sbin/smtpd/smtp_session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smtp_session.c,v 1.441 2024/01/28 17:23:17 op Exp $ */ +/* $OpenBSD: smtp_session.c,v 1.442 2024/03/20 17:52:43 op Exp $ */ /* * Copyright (c) 2008 Gilles Chehade @@ -2481,7 +2481,7 @@ smtp_tx_rcpt_to(struct smtp_tx *tx, const char *line) if ((p = strchr(opt, ';')) == NULL || !valid_xtext(p + 1) || - strlcpy(opt, tx->evp.dsn_orcpt, len) >= len) { + strlcpy(tx->evp.dsn_orcpt, opt, len) >= len) { smtp_reply(tx->session, "553 ORCPT address syntax error"); return; -- 2.20.1