From 481e65cfc86fbbe0c50e4f6fc60de650e5e3ece9 Mon Sep 17 00:00:00 2001
From: "Jean-Marc Pigeon (Delson)" <jmp@safe.ca>
Date: Fri, 18 Jul 2025 15:47:26 -0400
Subject: [PATCH] Fix big bug with sock_purge (at starttls)

---
 lib/devsoc.c | 84 ++++++++++++++++++++++++++--------------------------
 lib/devsoc.h |  3 ++
 lib/lvleml.c |  3 +-
 lib/unitls.c |  2 +-
 4 files changed, 48 insertions(+), 44 deletions(-)

diff --git a/lib/devsoc.c b/lib/devsoc.c
index 105ba11..f696ba6 100644
--- a/lib/devsoc.c
+++ b/lib/devsoc.c
@@ -46,40 +46,6 @@ typedef struct  {
         int iteration;  //number of soc slot used on the IP
         }SOCTYP;
 
-/*
-
-*/
-/********************************************************/
-/*                                                      */
-/*	Procedure to purge incoming TLS channel         */
-/*      After crypted link is established but before    */
-/*      to use it.                                      */
-/*						        */
-/*      See VE-2011-0411, "plaintext command injection" */
-/*                                                      */
-/********************************************************/
-static void socpurge(SOCTYP *soc,const char *peerip)
-
-{
-#define OPEP    "devsoc.c:socpurge"
-
-int max;
-int count;
-
-max=1000;       //purging for 1 seconde max;
-count=0;
-for (;count<max;count++) {
-  soc->carin=0;
-  soc->carpile[0]='\000';
-  (void) usleep(1000);  //1 millisec
-  (void) soc_receive(soc);
-  if (soc->carin==0)    //got no character
-    break;
-  }
-if (count>=max) //one second max!
-  (void) rou_alert(0,"%s purge is too long with peer [%s]",OPEP,peerip);
-#undef  OPEP
-}
 /*
 
 */
@@ -1502,6 +1468,46 @@ while (proceed==true) {
   phase++;
   }
 return socptr;
+#undef  OPEP
+}
+/*
+
+*/
+/********************************************************/
+/*                                                      */
+/*	Procedure to purge incoming TLS channel         */
+/*      After crypted link is established but before    */
+/*      to use it.                                      */
+/*						        */
+/*      See VE-2011-0411, "plaintext command injection" */
+/*                                                      */
+/********************************************************/
+PUBLIC void soc_purge(SOCPTR *socptr,const char *peerip)
+
+{
+#define OPEP    "devsoc.c:soc_purge,"
+
+int max;
+int count;
+
+max=1000;       //purging for 1 seconde max;
+count=0;
+if (socptr!=(SOCPTR *)0) {
+  SOCTYP *soc;
+
+  soc=(SOCTYP *)socptr;
+  for (;count<max;count++) {
+    soc->carin=0;
+    soc->carpile[0]='\000';
+    (void) usleep(1000);  //1 millisec
+    (void) soc_receive(soc);
+    if (soc->carin==0)    //got no character
+      break;
+    }
+  }
+if (count>=max) //one second max!
+  (void) rou_alert(0,"%s purge is too long with peer [%s]",OPEP,peerip);
+
 #undef  OPEP
 }
 /*
@@ -1524,16 +1530,10 @@ SOCTYP *soc;
 ok=false;
 soc=(SOCTYP *)socptr;
 if ((soc!=(SOCTYP *)0)&&(soc->modtls==false)) {
-  char *peerip;
-
-  peerip=(char *)0;
   switch (server)       {
-    case true   :
-      peerip=soc_getaddrinfo(socptr,false,false);
-      (void) socpurge(soc,peerip);
-      peerip=rou_freestr(peerip);
+    case true   :       //Nothing to do?
       break;
-    case false  :
+    case false  :       //Nothing to do?
       break;
     }
   soc->tls=tls_opentls(soc->handle,server);
diff --git a/lib/devsoc.h b/lib/devsoc.h
index db44609..6f5e587 100644
--- a/lib/devsoc.h
+++ b/lib/devsoc.h
@@ -69,6 +69,9 @@ extern char *soc_getaddrinfo(SOCPTR *socptr,_Bool local,_Bool getname);
 //procedure to release/clsoe socket
 extern SOCPTR *soc_release(SOCPTR *socptr);
 
+//procedure to purge contact chenel (used in case of starttls)
+extern void soc_purge(SOCPTR *socptr,const char *peerip);
+
 //procedure to initiate crypted mode on plain channel
 extern _Bool soc_starttls(SOCPTR *socptr,_Bool server);
 
diff --git a/lib/lvleml.c b/lib/lvleml.c
index b146d03..90b6d3a 100644
--- a/lib/lvleml.c
+++ b/lib/lvleml.c
@@ -1695,7 +1695,7 @@ while (proceed==true) {
           break;
         }
       break;
-    case 1      :       //Stating starttls
+    case 1      :       //Starting starttls
       phase=999;        //No need to go futher
       rspcode=simple_smtp_command(rmt,"STARTTLS",rmt->orgdomain);
       switch (rspcode) {
@@ -2335,6 +2335,7 @@ while (proceed==true) {
       break;
     case c_starttls     :       //EHLO start encrypted link in server mode
       (void) usleep(100000);
+      (void) soc_purge(contact->socptr,contact->peerip);
       (void) transmit(contact,true,"%d 2.0.0 Ready to start TLS",SIGNON);
       switch (soc_starttls(contact->socptr,true)) {
         case true       :  {    //link now in TLS crypted mode (server mode)
diff --git a/lib/unitls.c b/lib/unitls.c
index 8077b7b..f61ac64 100644
--- a/lib/unitls.c
+++ b/lib/unitls.c
@@ -251,7 +251,7 @@ mode=SSL_VERIFY_NONE;
 phase=0;
 proceed=true;
 while (proceed==true) {
-  (void) rou_alert(0,"%s JMPDBG phase='%d'",OPEP,phase);
+  //(void) rou_alert(0,"%s JMPDBG phase='%d'",OPEP,phase);
   switch (phase) {
     case 0      :       //loading certificate names
       for (int i=0;i<(sizeof(cenv)/sizeof(char *));i++) {
-- 
2.47.3