[exim-cvs] Fix crash in mime acl when a parameter is untermi…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Fix crash in mime acl when a parameter is unterminated
Gitweb: http://git.exim.org/exim.git/commitdiff/bf485bf34df3fc2214765497a5552851c6a8977a
Commit:     bf485bf34df3fc2214765497a5552851c6a8977a
Parent:     ad4c5ff9c1656eb9691fb1687ce7e0c59291ebda
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Tue Dec 30 20:39:02 2014 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Tue Dec 30 20:51:09 2014 +0000


    Fix crash in mime acl when a parameter is unterminated


    Verified-by: Wolfgang Breyha <wbreyha@???>
---
 src/src/mime.c                  |   33 +++++++++++----------------------
 test/confs/4000                 |    1 +
 test/log/4000                   |    9 ++++++---
 test/mail/4000.userx            |   36 ++++++++++++++++++++++++++++++++++++
 test/scripts/4000-scanning/4000 |   27 +++++++++++++++++++++++++++
 test/stdout/4000                |   11 +++++++++++
 6 files changed, 92 insertions(+), 25 deletions(-)


diff --git a/src/src/mime.c b/src/src/mime.c
index a61e9f2..e5fe476 100644
--- a/src/src/mime.c
+++ b/src/src/mime.c
@@ -599,46 +599,35 @@ NEXT_PARAM_SEARCH:
         /* found an interesting parameter? */
         if (strncmpic(mp->name, p, mp->namelen) == 0)
           {
-          uschar * q = p + mp->namelen;
-          int plen = 0;
           int size = 0;
           int ptr = 0;


           /* yes, grab the value and copy to its corresponding expansion variable */
-          while(*q && *q != ';')        /* ; terminates */
-        if (*q == '"')
+          p += mp->namelen;
+          while(*p && *p != ';')        /* ; terminates */
+        if (*p == '"')
           {
-          q++;                /* skip leading " */
-          plen++;            /* and account for the skip */
-          while(*q && *q != '"')    /* " protects ; */
-            {
-            param_value = string_cat(param_value, &size, &ptr, q++, 1);
-            plen++;
-            }
-          if (*q)
-            {
-            q++;            /* skip trailing " */
-            plen++;
-            }
+          p++;                /* skip leading " */
+          while(*p && *p != '"')    /* " protects ; */
+            param_value = string_cat(param_value, &size, &ptr, p++, 1);
+          if (*p) p++;            /* skip trailing " */
           }
         else
-          {
-          param_value = string_cat(param_value, &size, &ptr, q++, 1);
-          plen++;
-          }
+          param_value = string_cat(param_value, &size, &ptr, p++, 1);
+          if (*p) p++;            /* skip trailing ; */


           if (param_value)
         {
+        uschar * dummy;
         param_value[ptr++] = '\0';


         param_value = rfc2047_decode(param_value,
-              check_rfc2047_length, NULL, 32, NULL, &q);
+              check_rfc2047_length, NULL, 32, NULL, &dummy);
         debug_printf("Found %s MIME parameter in %s header, "
               "value is '%s'\n", mp->name, mime_header_list[i].name,
               param_value);
         }
           *mp->value = param_value;
-          p += mp->namelen + plen + 1;    /* name=, content, ; */
           goto NEXT_PARAM_SEARCH;
         }
       }
diff --git a/test/confs/4000 b/test/confs/4000
index febe9a5..e1275c1 100644
--- a/test/confs/4000
+++ b/test/confs/4000
@@ -8,6 +8,7 @@ spool_directory = DIR/spool
 log_file_path = DIR/spool/log/%slog
 gecos_pattern = ""
 gecos_name = CALLER_NAME
+log_selector = +subject



 # ----- Main settings -----
diff --git a/test/log/4000 b/test/log/4000
index a6f5d2f..bd49189 100644
--- a/test/log/4000
+++ b/test/log/4000
@@ -1,9 +1,12 @@
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local-esmtp S=sss id=20041217133501.GA3058@???
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local-esmtp S=sss id=20041217133501.GA3058@??? T="[exim] Re: Bug#286074: eximstats: uses message count as data for\n    the \"volume\" charts"
 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx <userx@???> R=r1 T=t1
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local-esmtp S=sss id=20041217133501.GA3058@???
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@??? U=CALLER P=local-esmtp S=sss id=20041217133501.GA3058@??? T="Nasty"
 1999-03-02 09:44:33 10HmaY-0005vi-00 => userx <userx@???> R=r1 T=t1
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local-esmtp S=sss id=20041217133501.GA3059@???
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local-esmtp S=sss id=20041217133501.GA3059@??? T="Nasty"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx <userx@???> R=r1 T=t1
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? U=CALLER P=local-esmtp S=sss id=20041217133501.GA3059@??? T="Nasty3"
+1999-03-02 09:44:33 10HmbA-0005vi-00 => userx <userx@???> R=r1 T=t1
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
diff --git a/test/mail/4000.userx b/test/mail/4000.userx
index 725770d..81b21d2 100644
--- a/test/mail/4000.userx
+++ b/test/mail/4000.userx
@@ -218,3 +218,39 @@ foobar


--T4sUOijqQbZv57TR-- 

+From CALLER@??? Tue Mar 02 09:44:33 1999
+Received: from CALLER (helo=test.ex)
+    by myhost.test.ex with local-esmtp (Exim x.yz)
+    (envelope-from <CALLER@???>)
+    id 10HmbA-0005vi-00
+    for userx@???; Tue, 2 Mar 1999 09:44:33 +0000
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+From: J Caesar <jcaesar@???>
+To: a-list00@???
+Message-ID: <20041217133501.GA3059@???>
+Mime-Version: 1.0
+Content-Type: text/plain; charset="utf-8""
+Content-Disposition: inline
+Subject: Nasty3
+Sender: CALLER_NAME <CALLER@???>
+X-0-content-type: text/plain
+X-0-filename: 
+X-0-charset: utf-8;
+X-0-boundary: 
+X-0-content-disposition: inline
+X-0-content-transfer-encoding: 
+X-0-content-id: 
+X-0-content-description: 
+X-0-is-multipart: 0
+X-0-is-coverletter: 1
+X-0-is-rfc822: 0
+X-0-decode-filename: TESTSUITE/spool/scan/10HmbA-0005vi-00/10HmbA-0005vi-00-00000
+X-0-content-size: 1
+
+--T4sUOijqQbZv57TR
+Content-Type: text/plain;
+
+foobar
+
+--T4sUOijqQbZv57TR--
+
diff --git a/test/scripts/4000-scanning/4000 b/test/scripts/4000-scanning/4000
index 2f760bc..de175de 100644
--- a/test/scripts/4000-scanning/4000
+++ b/test/scripts/4000-scanning/4000
@@ -126,3 +126,30 @@ foobar
 .
 quit
 ****
+#
+#
+# This one has a 3rd rotten parameter style
+#
+exim -odi -bs
+ehlo test.ex
+mail from:<>
+rcpt to:<userx@???>
+data
+Date: Fri, 17 Dec 2004 14:35:01 +0100
+From: J Caesar <jcaesar@???>
+To: a-list00@???
+Message-ID: <20041217133501.GA3059@???>
+Mime-Version: 1.0
+Content-Type: text/plain; charset="utf-8""
+Content-Disposition: inline
+Subject: Nasty3
+
+--T4sUOijqQbZv57TR
+Content-Type: text/plain;
+
+foobar
+
+--T4sUOijqQbZv57TR--
+.
+quit
+****
diff --git a/test/stdout/4000 b/test/stdout/4000
index 42d2eef..ae27f52 100644
--- a/test/stdout/4000
+++ b/test/stdout/4000
@@ -31,3 +31,14 @@
 354 Enter message, ending with "." on a line by itself
 250 OK id=10HmaZ-0005vi-00
 221 myhost.test.ex closing connection
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250-myhost.test.ex Hello CALLER at test.ex
+250-SIZE 52428800
+250-8BITMIME
+250-PIPELINING
+250 HELP
+250 OK
+250 Accepted
+354 Enter message, ending with "." on a line by itself
+250 OK id=10HmbA-0005vi-00
+221 myhost.test.ex closing connection


This message was posted to the following mailing lists:
exim-cvs
Mailing List Info | Nearby Messages		<-[exim-cvs] Update ChangeLog[exim-cvs] Avoid crash with badly-terminated non-recognised mime parameter->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)