Commit | Line | Data |
---|---|---|
01e60269 AM |
1 | From 09720dd9506176294154dad7152f5f40554046a4 Mon Sep 17 00:00:00 2001 |
2 | From: Jeremy Harris <jgh146exb@wizmail.org> | |
3 | Date: Thu, 14 Mar 2019 12:26:34 +0000 | |
4 | Subject: [PATCH 3/5] Fix crash from SRV lookup hitting a CNAME | |
5 | ||
6 | (cherry picked from commit 14bc9cf085aff7bd5147881e5b7068769a29b026) | |
7 | --- | |
8 | doc/ChangeLog | 4 ++++ | |
9 | src/dns.c | 10 +++++++--- | |
10 | 2 files changed, 11 insertions(+), 3 deletions(-) | |
11 | ||
12 | diff --git a/doc/ChangeLog b/doc/ChangeLog | |
13 | index 419c1061..0f8d05b2 100644 | |
14 | --- a/doc/ChangeLog | |
15 | +++ b/doc/ChangeLog | |
16 | @@ -19,10 +19,14 @@ JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under | |
17 | suitably configured). | |
18 | ||
19 | JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part | |
20 | and/or domain. Found and fixed by Jason Betts. | |
21 | ||
22 | +JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid | |
23 | + configuration). If a CNAME target was not a wellformed name pattern, a | |
24 | + crash could result. | |
25 | + | |
26 | ||
27 | Exim version 4.92 | |
28 | ----------------- | |
29 | ||
30 | JH/01 Remove code calling the customisable local_scan function, unless a new | |
31 | diff --git a/src/dns.c b/src/dns.c | |
32 | index 0f0b435d..b7978c52 100644 | |
33 | --- a/src/dns.c | |
34 | +++ b/src/dns.c | |
35 | @@ -714,11 +714,15 @@ regex has substrings that are used - the default uses a conditional. | |
36 | This test is omitted for PTR records. These occur only in calls from the dnsdb | |
37 | lookup, which constructs the names itself, so they should be OK. Besides, | |
38 | bitstring labels don't conform to normal name syntax. (But the aren't used any | |
39 | more.) | |
40 | ||
41 | -For SRV records, we omit the initial _smtp._tcp. components at the start. */ | |
42 | +For SRV records, we omit the initial _smtp._tcp. components at the start. | |
43 | +The check has been seen to bite on the destination of a SRV lookup that | |
44 | +initiall hit a CNAME, for which the next name had only two components. | |
45 | +RFC2782 makes no mention of the possibiility of CNAMES, but the Wikipedia | |
46 | +article on SRV says they are not a valid configuration. */ | |
47 | ||
48 | #ifndef STAND_ALONE /* Omit this for stand-alone tests */ | |
49 | ||
50 | if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT) | |
51 | { | |
52 | @@ -730,12 +734,12 @@ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT) | |
53 | /* For an SRV lookup, skip over the first two components (the service and | |
54 | protocol names, which both start with an underscore). */ | |
55 | ||
56 | if (type == T_SRV || type == T_TLSA) | |
57 | { | |
58 | - while (*checkname++ != '.'); | |
59 | - while (*checkname++ != '.'); | |
60 | + while (*checkname && *checkname++ != '.') ; | |
61 | + while (*checkname && *checkname++ != '.') ; | |
62 | } | |
63 | ||
64 | if (pcre_exec(regex_check_dns_names, NULL, CCS checkname, Ustrlen(checkname), | |
65 | 0, PCRE_EOPT, ovector, nelem(ovector)) < 0) | |
66 | { | |
67 | -- | |
68 | 2.20.1 | |
69 |