From 7363d03b27f40d0704115f4d2bef80d3692c4a0a Mon Sep 17 00:00:00 2001
From: Craig <precachedata@gmail.com>
Date: Fri, 12 Feb 2016 01:26:50 +0000
Subject: [PATCH] Fix several panics on invalid input

---
 address.go  |  2 +-
 protocol.go | 20 ++++++++++++++++++--
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/address.go b/address.go
index 84bf735..68ae8e6 100644
--- a/address.go
+++ b/address.go
@@ -7,7 +7,7 @@ import (
 
 func parseAddress(src string) (string, error) {
 
-	if src[0] != '<' || src[len(src)-1] != '>' {
+	if len(src) == 0 || src[0] != '<' || src[len(src)-1] != '>' {
 		return "", fmt.Errorf("Ill-formatted e-mail address: %s", src)
 	}
 
diff --git a/protocol.go b/protocol.go
index 85ade92..6dfea11 100644
--- a/protocol.go
+++ b/protocol.go
@@ -166,14 +166,18 @@ func (session *session) handleEHLO(cmd command) {
 }
 
 func (session *session) handleMAIL(cmd command) {
+	if len(cmd.params) != 2 || strings.ToUpper(cmd.params[0]) != "FROM" {
+		session.reply(502, "Syntax error")
+		return
+	}
 
 	if session.peer.HeloName == "" {
-		session.reply(502, "Please introduce yourself first.")
+		session.reply(502, "Please introduce yourself first")
 		return
 	}
 
 	if !session.tls && session.server.ForceTLS {
-		session.reply(502, "Please turn on TLS by issuing a STARTTLS command.")
+		session.reply(502, "Please turn on TLS by issuing a STARTTLS command")
 		return
 	}
 
@@ -208,6 +212,10 @@ func (session *session) handleMAIL(cmd command) {
 }
 
 func (session *session) handleRCPT(cmd command) {
+	if len(cmd.params) != 2 || strings.ToUpper(cmd.params[0]) != "TO" {
+		session.reply(502, "Syntax error")
+		return
+	}
 
 	if session.envelope == nil {
 		session.reply(502, "Missing MAIL FROM command.")
@@ -361,6 +369,10 @@ func (session *session) handleQUIT(cmd command) {
 }
 
 func (session *session) handleAUTH(cmd command) {
+	if len(cmd.fields) < 2 {
+		session.reply(502, "Invalid syntax.")
+		return
+	}
 
 	if session.server.Authenticator == nil {
 		session.reply(502, "AUTH not supported.")
@@ -467,6 +479,10 @@ func (session *session) handleAUTH(cmd command) {
 }
 
 func (session *session) handleXCLIENT(cmd command) {
+	if len(cmd.fields) < 2 {
+		session.reply(502, "Invalid syntax.")
+		return
+	}
 
 	if !session.server.EnableXCLIENT {
 		session.reply(550, "XCLIENT not enabled")