Re: [Exim] verify=header_syntax Buffer overflow (CAN-2004-04…

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Andreas Metzler
CC: Exim-Users (E-mail)
Subject: Re: [Exim] verify=header_syntax Buffer overflow (CAN-2004-0400)
On Thu, 6 May 2004, Andreas Metzler wrote:

> Afaict the broken code in src/verify.c is completely useless in exim4.
> The header name is copied to hname but the error message is generated
> from h->text and hname is ignored.


Correct. I have just been working on this. Below is my patch. There was
some old code that should have been deleted. The patch deletes it.

The bug was provoked by verify=header_syntax in combination with a
header that contained an unqualified local part, and a large amount of
white space between the name and the colon.

--
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book





*** exim-4.33/src/verify.c  Wed May  5 11:08:36 2004
--- verify.c    Thu May  6 14:36:40 2004
***************
*** 1264,1282 ****


      if (recipient == NULL && Ustrcmp(errmess, "empty address") != 0)
        {
-       uschar hname[64];
-       uschar *t = h->text;
-       uschar *tt = hname;
        uschar *verb = US"is";
        int len;


-       while (*t != ':') *tt++ = *t++;
-       *tt = 0;
-
        /* Arrange not to include any white space at the end in the
        error message. */


-       t = ss;
        while (t > s && isspace(t[-1])) t--;


        /* Add the address which failed to the error message, since in a
--- 1264,1276 ----


      if (recipient == NULL && Ustrcmp(errmess, "empty address") != 0)
        {
        uschar *verb = US"is";
+       uschar *t = ss;
        int len;


        /* Arrange not to include any white space at the end in the
        error message. */


        while (t > s && isspace(t[-1])) t--;


        /* Add the address which failed to the error message, since in a