Fix transport buffer size handling

Broken-by: 59932f7dcd
(cherry picked from commit 05bf16f6217e93594929c8bbbbbc852caf3ed374)

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 7da07ad46bf0e1a1523593021317b6ac0878d828..66c8a7a1b2a12973fa1e5a21a439d20c550fdce5 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -5,6 +5,13 @@ affect Exim's operation, with an unchanged configuration file.  For new
 options, and new features, see the NewStuff file next to this ChangeLog.
 
 
 options, and new features, see the NewStuff file next to this ChangeLog.
 
 

+Since version 4.92
+------------------
+
+JH/06 Fix buggy handling of autoreply bounce_return_size_limit, and a possible
+      buffer overrun for (non-chunking) other transports.
+
+

 Exim version 4.92
 -----------------
 
 Exim version 4.92
 -----------------
 

diff --git a/src/src/transport.c b/src/src/transport.c
index 8ccdd03890121acf320f48f780e74e782254f2f2..a069b883364bc44522e6bd4f51ab5579982dcb13 100644 (file)
--- a/src/src/transport.c
+++ b/src/src/transport.c
@@ -1115,13 +1115,13 @@ DEBUG(D_transport)
 
 if (!(tctx->options & topt_no_body))
   {
 
 if (!(tctx->options & topt_no_body))
   {

-  int size = size_limit;
+  unsigned long size = size_limit > 0 ? size_limit : ULONG_MAX;

 
   nl_check_length = abs(nl_check_length);
   nl_partial_match = 0;
   if (lseek(deliver_datafile, SPOOL_DATA_START_OFFSET, SEEK_SET) < 0)
     return FALSE;
 
   nl_check_length = abs(nl_check_length);
   nl_partial_match = 0;
   if (lseek(deliver_datafile, SPOOL_DATA_START_OFFSET, SEEK_SET) < 0)
     return FALSE;

-  while (  (len = MAX(DELIVER_IN_BUFFER_SIZE, size)) > 0
+  while (  (len = MIN(DELIVER_IN_BUFFER_SIZE, size)) > 0

        && (len = read(deliver_datafile, deliver_in_buffer, len)) > 0)
     {
     if (!write_chunk(tctx, deliver_in_buffer, len))
        && (len = read(deliver_datafile, deliver_in_buffer, len)) > 0)
     {
     if (!write_chunk(tctx, deliver_in_buffer, len))