--- /dev/null
+From 09720dd9506176294154dad7152f5f40554046a4 Mon Sep 17 00:00:00 2001
+From: Jeremy Harris <jgh146exb@wizmail.org>
+Date: Thu, 14 Mar 2019 12:26:34 +0000
+Subject: [PATCH 3/5] Fix crash from SRV lookup hitting a CNAME
+
+(cherry picked from commit 14bc9cf085aff7bd5147881e5b7068769a29b026)
+---
+ doc/ChangeLog | 4 ++++
+ src/dns.c | 10 +++++++---
+ 2 files changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/doc/ChangeLog b/doc/ChangeLog
+index 419c1061..0f8d05b2 100644
+--- a/doc/ChangeLog
++++ b/doc/ChangeLog
+@@ -19,10 +19,14 @@ JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under
+ suitably configured).
+
+ JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part
+ and/or domain. Found and fixed by Jason Betts.
+
++JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid
++ configuration). If a CNAME target was not a wellformed name pattern, a
++ crash could result.
++
+
+ Exim version 4.92
+ -----------------
+
+ JH/01 Remove code calling the customisable local_scan function, unless a new
+diff --git a/src/dns.c b/src/dns.c
+index 0f0b435d..b7978c52 100644
+--- a/src/dns.c
++++ b/src/dns.c
+@@ -714,11 +714,15 @@ regex has substrings that are used - the default uses a conditional.
+ This test is omitted for PTR records. These occur only in calls from the dnsdb
+ lookup, which constructs the names itself, so they should be OK. Besides,
+ bitstring labels don't conform to normal name syntax. (But the aren't used any
+ more.)
+
+-For SRV records, we omit the initial _smtp._tcp. components at the start. */
++For SRV records, we omit the initial _smtp._tcp. components at the start.
++The check has been seen to bite on the destination of a SRV lookup that
++initiall hit a CNAME, for which the next name had only two components.
++RFC2782 makes no mention of the possibiility of CNAMES, but the Wikipedia
++article on SRV says they are not a valid configuration. */
+
+ #ifndef STAND_ALONE /* Omit this for stand-alone tests */
+
+ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT)
+ {
+@@ -730,12 +734,12 @@ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT)
+ /* For an SRV lookup, skip over the first two components (the service and
+ protocol names, which both start with an underscore). */
+
+ if (type == T_SRV || type == T_TLSA)
+ {
+- while (*checkname++ != '.');
+- while (*checkname++ != '.');
++ while (*checkname && *checkname++ != '.') ;
++ while (*checkname && *checkname++ != '.') ;
+ }
+
+ if (pcre_exec(regex_check_dns_names, NULL, CCS checkname, Ustrlen(checkname),
+ 0, PCRE_EOPT, ovector, nelem(ovector)) < 0)
+ {
+--
+2.20.1
+
HCoop / hcoop / debian / exim4.git / blobdiff