From 3611b583f51157a727cdca387da368cb8af3ae8d Mon Sep 17 00:00:00 2001
From: Dirk Ziegelmeier <dirk@ziegelmeier.net>
Date: Wed, 14 Jun 2017 12:40:58 +0200
Subject: [PATCH] smtp.c, smtp_set_server_addr: Avoid smtp_server buffer
 overrun when server name length is SMTP_MAX_SERVERNAME_LEN ->
 "smtp_server[len] = 0" is an out-of-bound access

---
 src/apps/smtp/smtp.c              | 8 ++++----
 src/include/lwip/apps/smtp_opts.h | 2 +-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/apps/smtp/smtp.c b/src/apps/smtp/smtp.c
index 6b5170ec..3c30811d 100644
--- a/src/apps/smtp/smtp.c
+++ b/src/apps/smtp/smtp.c
@@ -65,7 +65,7 @@
 #include "lwip/altcp_tcp.h"
 #include "lwip/altcp_tls.h"
 
-#include <string.h>
+#include <string.h> /* strnlen, memcpy */
 #include <stdlib.h>
 
 /** TCP poll interval. Unit is 0.5 sec. */
@@ -346,10 +346,10 @@ smtp_set_server_addr(const char* server)
 {
   size_t len = 0;
   if (server != NULL) {
-    len = strlen(server);
+    len = strnlen(server, SMTP_MAX_SERVERNAME_LEN); /* strnlen: length WITHOUT terminating 0 byte */
   }
-  if (len > SMTP_MAX_SERVERNAME_LEN) {
-    return ERR_MEM;
+  if (len >= SMTP_MAX_SERVERNAME_LEN) {
+    return ERR_MEM; /* too long or no room for terminating 0 byte */
   }
   if (len != 0) {
     MEMCPY(smtp_server, server, len);
diff --git a/src/include/lwip/apps/smtp_opts.h b/src/include/lwip/apps/smtp_opts.h
index 20a0bed0..0c56a9f0 100644
--- a/src/include/lwip/apps/smtp_opts.h
+++ b/src/include/lwip/apps/smtp_opts.h
@@ -24,7 +24,7 @@ extern "C" {
 #define SMTP_DEBUG              LWIP_DBG_OFF
 #endif
 
-/** Maximum length reserved for server name */
+/** Maximum length reserved for server name including terminating 0 byte */
 #ifndef SMTP_MAX_SERVERNAME_LEN
 #define SMTP_MAX_SERVERNAME_LEN 256
 #endif