From 72b27390981cb55a6034bd02562c21e176b53922 Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w@1wt.eu>
Date: Thu, 23 Jan 2014 23:04:46 +0100
Subject: BUG: possible read out of bounds in parse_mail()

If an address contains exactly 100 chars before the first "@", and
multiple "@", then the address will be strncpy()'d multiple times
with cur_pos being larger than the tmp_rcpt which is hard-coded to
100 chars in the stack, including the trailing zero. So the stack
will be walked upwards by strncpy() until a zero is found, which
may result in an easy segfault considering that a number of words
above tmp_rcpt[] are pointers (variables and arguments), so they
do not necessarily contain zeroes before the end of the stack.

The fix simply consists in only doing the strncpy() for the first
"@".
---
 original.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/original.c b/original.c
index 4aa0c0f..d7764cf 100644
--- a/original.c
+++ b/original.c
@@ -341,7 +341,7 @@ string_t *parse_mail(string_t *buffer, int *total_rcpts)
 					} while (*toline != '"');
 					break;
 				default:
-					if (*toline == '@')
+					if (isemladdr == False && *toline == '@')
 					{
 						isemladdr = True;
 						
-- 
1.7.12.1