========================================================================
CVE-2020-SCHAD -- Out-of-bounds read in smtp_setup_msg()
========================================================================

In smtp_setup_msg(), which reads the SMTP commands sent by a client to
the Exim server:

1455 int     smtp_ch_index          = 0;
....
1459 uschar  smtp_connection_had[SMTP_HBUFF_SIZE];

 126 #define HAD(n) \
 127     smtp_connection_had[smtp_ch_index++] = n; \
 128     if (smtp_ch_index >= SMTP_HBUFF_SIZE) smtp_ch_index = 0
....
5283     case DATA_CMD:
5284       HAD(SCH_DATA);
....
5305           smtp_printf("503 Valid RCPT command must precede %s\r\n", FALSE,
5306             smtp_names[smtp_connection_had[smtp_ch_index-1]]);

- line 5284 (line 128 in HAD()) can reset smtp_ch_index to 0 (an index
  into the circular buffer smtp_connection_had[]);

- line 5306 therefore reads smtp_connection_had[-1] out-of-bounds (an
  unsigned char index into the array smtp_names[]);

- depending on the value of this unsigned char index, line 5306 may also
  read smtp_names[smtp_connection_had[-1]] out-of-bounds (a pointer to a
  string);

- and line 5305 sends this string to the SMTP client and may therefore
  disclose sensitive information to an unauthenticated remote attacker.

(sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; for ((i=0; i<20-3; i++)); do echo 'RCPT TO:nonexistent'; done; sleep 3; echo 'DATA'; sleep 3) | nc -n -v 192.168.56.102 25

On Debian, this out-of-bounds read is not exploitable, because
smtp_connection_had[-1] is always 0 and line 5305 sends smtp_names[0]
("NONE") to the client. However, the memory layout of the Exim binary
may be more favorable to attackers on other operating systems.

This vulnerability was independently discovered and fixed by the Exim
developers in July 2020:

