========================================================================
CVE-2020-EXOPT -- Heap out-of-bounds read and write in extract_option()
========================================================================

The name=value parameters such as AUTH= are extracted from MAIL FROM and
RCPT TO commands by extract_option():

1994 static BOOL
1995 extract_option(uschar **name, uschar **value)
1996 {
1997 uschar *n;
1998 uschar *v = smtp_cmd_data + Ustrlen(smtp_cmd_data) - 1;
....
2001 while (v > smtp_cmd_data && *v != '=' && !isspace(*v))
2002   {
....
2005   if (*v == '"') do v--; while (*v != '"' && v > smtp_cmd_data+1);
2006   v--;
2007   }
2008
2009 n = v;

Unfortunately, this function can decrease v (value) and hence n (name)
out of smtp_cmd_data's bounds (into the preceding smtp_cmd_buffer):

- at line 2001, v can point to smtp_cmd_data + 1;

- at line 2005, v-- decrements v to smtp_cmd_data;

- at line 2006, v-- decrements v to smtp_cmd_data - 1.

Subsequently, the code in extract_option() and smtp_setup_msg() reads
from and writes to v and n out of smtp_cmd_data's bounds.

If exploitable, this vulnerability would allow an unauthenticated remote
attacker to execute arbitrary commands as the "exim" user. So far we
were unable to exploit this vulnerability: although we are able to
decrease v and n out of smtp_cmd_data's bounds, we were unable to
decrease v or n out of the preceding smtp_cmd_buffer's bounds.
Surprisingly, however, we do use this vulnerability in our
proof-of-concept for CVE-2020-FGETS.

