| 1 | From 09720dd9506176294154dad7152f5f40554046a4 Mon Sep 17 00:00:00 2001 |
| 2 | From: Jeremy Harris <jgh146exb@wizmail.org> |
| 3 | Date: Thu, 14 Mar 2019 12:26:34 +0000 |
| 4 | Subject: [PATCH 3/5] Fix crash from SRV lookup hitting a CNAME |
| 5 | |
| 6 | (cherry picked from commit 14bc9cf085aff7bd5147881e5b7068769a29b026) |
| 7 | --- |
| 8 | doc/ChangeLog | 4 ++++ |
| 9 | src/dns.c | 10 +++++++--- |
| 10 | 2 files changed, 11 insertions(+), 3 deletions(-) |
| 11 | |
| 12 | diff --git a/doc/ChangeLog b/doc/ChangeLog |
| 13 | index 419c1061..0f8d05b2 100644 |
| 14 | --- a/doc/ChangeLog |
| 15 | +++ b/doc/ChangeLog |
| 16 | @@ -19,10 +19,14 @@ JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under |
| 17 | suitably configured). |
| 18 | |
| 19 | JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part |
| 20 | and/or domain. Found and fixed by Jason Betts. |
| 21 | |
| 22 | +JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid |
| 23 | + configuration). If a CNAME target was not a wellformed name pattern, a |
| 24 | + crash could result. |
| 25 | + |
| 26 | |
| 27 | Exim version 4.92 |
| 28 | ----------------- |
| 29 | |
| 30 | JH/01 Remove code calling the customisable local_scan function, unless a new |
| 31 | diff --git a/src/dns.c b/src/dns.c |
| 32 | index 0f0b435d..b7978c52 100644 |
| 33 | --- a/src/dns.c |
| 34 | +++ b/src/dns.c |
| 35 | @@ -714,11 +714,15 @@ regex has substrings that are used - the default uses a conditional. |
| 36 | This test is omitted for PTR records. These occur only in calls from the dnsdb |
| 37 | lookup, which constructs the names itself, so they should be OK. Besides, |
| 38 | bitstring labels don't conform to normal name syntax. (But the aren't used any |
| 39 | more.) |
| 40 | |
| 41 | -For SRV records, we omit the initial _smtp._tcp. components at the start. */ |
| 42 | +For SRV records, we omit the initial _smtp._tcp. components at the start. |
| 43 | +The check has been seen to bite on the destination of a SRV lookup that |
| 44 | +initiall hit a CNAME, for which the next name had only two components. |
| 45 | +RFC2782 makes no mention of the possibiility of CNAMES, but the Wikipedia |
| 46 | +article on SRV says they are not a valid configuration. */ |
| 47 | |
| 48 | #ifndef STAND_ALONE /* Omit this for stand-alone tests */ |
| 49 | |
| 50 | if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT) |
| 51 | { |
| 52 | @@ -730,12 +734,12 @@ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT) |
| 53 | /* For an SRV lookup, skip over the first two components (the service and |
| 54 | protocol names, which both start with an underscore). */ |
| 55 | |
| 56 | if (type == T_SRV || type == T_TLSA) |
| 57 | { |
| 58 | - while (*checkname++ != '.'); |
| 59 | - while (*checkname++ != '.'); |
| 60 | + while (*checkname && *checkname++ != '.') ; |
| 61 | + while (*checkname && *checkname++ != '.') ; |
| 62 | } |
| 63 | |
| 64 | if (pcre_exec(regex_check_dns_names, NULL, CCS checkname, Ustrlen(checkname), |
| 65 | 0, PCRE_EOPT, ovector, nelem(ovector)) < 0) |
| 66 | { |
| 67 | -- |
| 68 | 2.20.1 |
| 69 | |