CVE-2017-1000369

https://github.com/Exim/exim/commit/65e061b76867a9ea7aeeb535341b790b90ae6c21

--- a/doc/exim.8
+++ b/doc/exim.8
@@ -1350,7 +1350,7 @@ option sets the received protocol value that is stored in
 or \fB\-bs\fP is used. For \fB\-bh\fP, the protocol is forced to one of the standard
 SMTP protocol names. For \fB\-bs\fP, the protocol is always "local\-" followed by
 one of those same names. For \fB\-bS\fP (batched SMTP) however, the protocol can
-be set by \fB\-oMr\fP.
+be set by \fB\-oMr\fP. Repeated use of this option is not supported.
 .TP 10
 \fB\-oMs\fP <\fIhost name\fP>
 See \fB\-oMa\fP above for general remarks about the \fB\-oM\fP options. The \fB\-oMs\fP
@@ -1418,6 +1418,7 @@ host name and its colon can be omitted when only the protocol is to be set.
 Note the Exim already has two private options, \fB\-pd\fP and \fB\-ps\fP, that refer
 to embedded Perl. It is therefore impossible to set a protocol value of d
 or s using this option (but that does not seem a real limitation).
+Repeated use of this option is not supported.
 .TP 10
 \fB\-q\fP
 This option is normally restricted to admin users. However, there is a
--- a/src/exim.c
+++ b/src/exim.c
@@ -3092,7 +3092,14 @@ for (i = 1; i < argc; i++)
 
       /* -oMr: Received protocol */
 
-      else if (Ustrcmp(argrest, "Mr") == 0) received_protocol = argv[++i];
+      else if (Ustrcmp(argrest, "Mr") == 0)
+
+        if (received_protocol)
+          {
+          fprintf(stderr, "received_protocol is set already\n");
+          exit(EXIT_FAILURE);
+          }
+        else received_protocol = argv[++i];
 
       /* -oMs: Set sender host name */
 
@@ -3188,7 +3195,15 @@ for (i = 1; i < argc; i++)
 
     if (*argrest != 0)
       {
-      uschar *hn = Ustrchr(argrest, ':');
+      uschar *hn;
+
+      if (received_protocol)
+        {
+        fprintf(stderr, "received_protocol is set already\n");
+        exit(EXIT_FAILURE);
+        }
+
+      hn = Ustrchr(argrest, ':');
       if (hn == NULL)
         {
         received_protocol = argrest;