[exim-cvs] SECURITY: DKIM DNS buffer overflow protection

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] SECURITY: DKIM DNS buffer overflow protection
Gitweb: http://git.exim.org/exim.git/commitdiff/4263f395efd136dece52d765dfcff3c96f17506e
Commit:     4263f395efd136dece52d765dfcff3c96f17506e
Parent:     bba74fc65f77dc6678b3d33eef0acf43efe8f653
Author:     Phil Pennock <pdp@???>
AuthorDate: Wed Oct 24 23:26:29 2012 -0400
Committer:  Phil Pennock <pdp@???>
CommitDate: Wed Oct 24 23:26:29 2012 -0400


    SECURITY: DKIM DNS buffer overflow protection


    CVE-2012-5671


    malloc/heap overflow, with a 60kB window of overwrite.
    Requires DNS under control of person sending email, leaves plenty of
    evidence, but is very likely exploitable on OSes that have not been
    well hardened.
---
 doc/doc-txt/ChangeLog |    8 ++++++++
 src/src/dkim.c        |    3 +++
 src/src/pdkim/pdkim.h |    4 ++--
 3 files changed, 13 insertions(+), 2 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 6c0554b..bc2fbc6 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -1,6 +1,14 @@
Change log file for Exim from version 4.21
-------------------------------------------

+Exim version 4.80.1
+-------------------
+
+PP/01 SECURITY: protect DKIM DNS decoding from remote exploit.
+      CVE-2012-5671
+      This, or similar/improved, will also be change PP/11 of 4.81.
+
+
 Exim version 4.80
 -----------------


diff --git a/src/src/dkim.c b/src/src/dkim.c
index 87e91de..05b5fec 100644
--- a/src/src/dkim.c
+++ b/src/src/dkim.c
@@ -42,6 +42,9 @@ int dkim_exim_query_dns_txt(char *name, char *answer) {
                "%.*s", (int)len, (char *)((rr->data)+rr_offset));
       rr_offset+=len;
       answer_offset+=len;
+      if (answer_offset >= PDKIM_DNS_TXT_MAX_RECLEN) {
+        return PDKIM_FAIL;
+      }
     }
   }
   else return PDKIM_FAIL;
diff --git a/src/src/pdkim/pdkim.h b/src/src/pdkim/pdkim.h
index 764cc83..1d364a3 100644
--- a/src/src/pdkim/pdkim.h
+++ b/src/src/pdkim/pdkim.h
@@ -27,8 +27,8 @@


 /* -------------------------------------------------------------------------- */
 /* Length of the preallocated buffer for the "answer" from the dns/txt
-   callback function. */
-#define PDKIM_DNS_TXT_MAX_RECLEN    4096
+   callback function. This should match the maximum RDLENGTH from DNS. */
+#define PDKIM_DNS_TXT_MAX_RECLEN    (1 << 16)


/* -------------------------------------------------------------------------- */
/* Function success / error codes */