ph10 2004/12/29 10:16:53 GMT
Modified files:
exim-doc/doc-txt ChangeLog NewStuff
exim-src/src host.c
Log:
The host_aton() buffer overflow: (1) Put a check in host_aton() itself;
(2) noted that the exploit via dnsdb/ptr lookup was already fortuitously
fixed by a previous change.
Revision Changes Path
1.58 +10 -2 exim/exim-doc/doc-txt/ChangeLog
1.24 +3 -3 exim/exim-doc/doc-txt/NewStuff
1.4 +7 -1 exim/exim-src/src/host.c
Index: ChangeLog
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
retrieving revision 1.57
retrieving revision 1.58
diff -u -r1.57 -r1.58
--- ChangeLog 22 Dec 2004 12:05:45 -0000 1.57
+++ ChangeLog 29 Dec 2004 10:16:52 -0000 1.58
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.57 2004/12/22 12:05:45 ph10 Exp $
+$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.58 2004/12/29 10:16:52 ph10 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
@@ -236,8 +236,8 @@
55. Some experimental protocols are using DNS PTR records for new purposes. The
keys for these records are domain names, not reversed IP addresses. The
- dnsdb lookup now tests whether it's key is an IP address. If not, it leaves
- it alone. Component reversal etc. now happens only for IP addresses.
+ dnsdb PTR lookup now tests whether its key is an IP address. If not, it
+ leaves it alone. Component reversal etc. now happens only for IP addresses.
56. Improve error message when ldap_search() fails in OpenLDAP or Solaris LDAP.
@@ -252,6 +252,14 @@
(1) $smtp_active_hostname is now available as a variable.
(2) The default for smtp_banner uses $smtp_active_hostname instead
of $primary_hostname.
+
+60. The host_aton() function is supposed to be passed a string that is known
+ to be a valid IP address. However, in the case of IPv6 addresses, it was
+ not checking this. This is a hostage to fortune. Exim now panics and dies
+ if the condition is not met. A case was found where this could be provoked
+ from a dnsdb lookup; fortuitously, this particular loophole had already
+ been fixed by change 4.50/55 above. If there are any other similar
+ loopholes, the new check should stop them being exploited.
Exim version 4.43
Index: NewStuff
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-txt/NewStuff,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- NewStuff 22 Dec 2004 12:05:45 -0000 1.23
+++ NewStuff 29 Dec 2004 10:16:52 -0000 1.24
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-doc/doc-txt/NewStuff,v 1.23 2004/12/22 12:05:45 ph10 Exp $
+$Cambridge: exim/exim-doc/doc-txt/NewStuff,v 1.24 2004/12/29 10:16:52 ph10 Exp $
New Features in Exim
--------------------
@@ -234,9 +234,9 @@
19. The Exiscan patch is now merged into the main source. See src/EDITME for
parameters for the build.
-20. If the key for a dnsdb lookup is not an IP address, it is used verbatim,
- without component reversal and without the addition of in-addr.arpa or
- ip6.arpa.
+20. If the key for a dnsdb PTR lookup is not an IP address, it is used
+ verbatim, without component reversal and without the addition of
+ in-addr.arpa or ip6.arpa.
21. Two changes related to the smtp_active_hostname option:
Index: host.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/host.c,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- host.c 18 Nov 2004 11:17:33 -0000 1.3
+++ host.c 29 Dec 2004 10:16:53 -0000 1.4
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/host.c,v 1.3 2004/11/18 11:17:33 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/host.c,v 1.4 2004/12/29 10:16:53 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -754,12 +754,18 @@
if (*p == ':') p++;
- /* Split the address into components separated by colons. */
+ /* Split the address into components separated by colons. The input address
+ is supposed to be checked for syntax. There was a case where this was
+ overlooked; to guard against that happening again, check here and crash if
+ there is a violation. */
while (*p != 0)
{
int len = Ustrcspn(p, ":");
if (len == 0) nulloffset = ci;
+ if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE,
+ "Internal error: invalid IPv6 address \"%s\" passed to host_aton()",
+ address);
component[ci++] = p;
p += len;
if (*p == ':') p++;
