[exim-cvs] Avoid crash with badly-terminated non-recognised …

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] Avoid crash with badly-terminated non-recognised mime parameter
Gitweb: http://git.exim.org/exim.git/commitdiff/e7c25d5b603a33e677efc4bccb6e5cac617e7ad5
Commit:     e7c25d5b603a33e677efc4bccb6e5cac617e7ad5
Parent:     bf485bf34df3fc2214765497a5552851c6a8977a
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Jan 1 21:47:10 2015 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Thu Jan 1 22:27:28 2015 +0000


    Avoid crash with badly-terminated non-recognised mime parameter
---
 src/src/mime.c                  |   18 ++++++++++------
 test/log/4000                   |    3 ++
 test/mail/4000.userx            |   42 +++++++++++++++++++++++++++++++++++++++
 test/scripts/4000-scanning/4000 |   32 +++++++++++++++++++++++++++++
 test/stdout/4000                |   11 ++++++++++
 5 files changed, 99 insertions(+), 7 deletions(-)


diff --git a/src/src/mime.c b/src/src/mime.c
index e5fe476..948dd78 100644
--- a/src/src/mime.c
+++ b/src/src/mime.c
@@ -589,6 +589,7 @@ DECODE_HEADERS:
 NEXT_PARAM_SEARCH:
     while (*p)
       {
+      /* debug_printf("  considering paramlist '%s'\n", p); */
       mime_parameter * mp;
       for (mp = mime_parameter_list;
            mp < &mime_parameter_list[mime_parameter_list_size];
@@ -623,7 +624,7 @@ NEXT_PARAM_SEARCH:


         param_value = rfc2047_decode(param_value,
               check_rfc2047_length, NULL, 32, NULL, &dummy);
-        debug_printf("Found %s MIME parameter in %s header, "
+        debug_printf(" Found %s MIME parameter in %s header, "
               "value is '%s'\n", mp->name, mime_header_list[i].name,
               param_value);
         }
@@ -631,14 +632,17 @@ NEXT_PARAM_SEARCH:
           goto NEXT_PARAM_SEARCH;
         }
       }
-      /* There is something, but not one of our interesting parameters.
-         Advance to the next semicolon */
-      while(*p != ';')
+    /* There is something, but not one of our interesting parameters.
+       Advance to the next unquoted semicolon */
+    while(*p && *p != ';')
+      if (*p == '"')
         {
-        if (*p == '"') while(*++p && *p != '"') ;
-        p++;
+        while(*++p && *p != '"') ;
+        if (*p) p++;
         }
-      p++;
+      else
+        p++;
+    if (*p) p++;
     }
       }
   }
diff --git a/test/log/4000 b/test/log/4000
index bd49189..e2c364f 100644
--- a/test/log/4000
+++ b/test/log/4000
@@ -10,3 +10,6 @@
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@??? U=CALLER P=local-esmtp S=sss id=20041217133501.GA3059@??? T="Nasty3"
 1999-03-02 09:44:33 10HmbA-0005vi-00 => userx <userx@???> R=r1 T=t1
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local-esmtp S=sss id=20041217133501.GA3059@??? T="Nasty4"
+1999-03-02 09:44:33 10HmbB-0005vi-00 => userx <userx@???> R=r1 T=t1
+1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
diff --git a/test/mail/4000.userx b/test/mail/4000.userx
index 81b21d2..d362efd 100644
--- a/test/mail/4000.userx
+++ b/test/mail/4000.userx
@@ -254,3 +254,45 @@ foobar


--T4sUOijqQbZv57TR--

+From CALLER@??? Tue Mar 02 09:44:33 1999
+Received: from CALLER (helo=test.ex)
+    by myhost.test.ex with local-esmtp (Exim x.yz)
+    (envelope-from <CALLER@???>)
+    id 10HmbB-0005vi-00
+    for userx@???; Tue, 2 Mar 1999 09:44:33 +0000
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+From: J Caesar <jcaesar@???>
+To: a-list00@???
+Message-ID: <20041217133501.GA3059@???>
+Mime-Version: 1.0
+Content-Type: text/plain;
+        garbage1;
+        garbage2=foo;
+        garbage3="bar"foo;
+        charset=UTF-8;
+        garbage4=";
+        garbage5="
+Content-Disposition: inline
+Subject: Nasty4
+Sender: CALLER_NAME <CALLER@???>
+X-0-content-type: text/plain
+X-0-filename: 
+X-0-charset: UTF-8
+X-0-boundary: 
+X-0-content-disposition: inline
+X-0-content-transfer-encoding: 
+X-0-content-id: 
+X-0-content-description: 
+X-0-is-multipart: 0
+X-0-is-coverletter: 1
+X-0-is-rfc822: 0
+X-0-decode-filename: TESTSUITE/spool/scan/10HmbB-0005vi-00/10HmbB-0005vi-00-00000
+X-0-content-size: 1
+
+--T4sUOijqQbZv57TR
+Content-Type: text/plain;
+
+foobar
+
+--T4sUOijqQbZv57TR--
+
diff --git a/test/scripts/4000-scanning/4000 b/test/scripts/4000-scanning/4000
index de175de..cd53007 100644
--- a/test/scripts/4000-scanning/4000
+++ b/test/scripts/4000-scanning/4000
@@ -153,3 +153,35 @@ foobar
 .
 quit
 ****
+#
+#
+# This one has a some unrecognised params
+#
+exim -odi -bs
+ehlo test.ex
+mail from:<>
+rcpt to:<userx@???>
+data
+Date: Fri, 17 Dec 2004 14:35:01 +0100
+From: J Caesar <jcaesar@???>
+To: a-list00@???
+Message-ID: <20041217133501.GA3059@???>
+Mime-Version: 1.0
+Content-Type: text/plain;
+        garbage1;
+        garbage2=foo;
+        garbage3="bar"foo;
+        charset=UTF-8;
+        garbage4=";
+Content-Disposition: inline
+Subject: Nasty4
+
+--T4sUOijqQbZv57TR
+Content-Type: text/plain;
+
+foobar
+
+--T4sUOijqQbZv57TR--
+.
+quit
+****
diff --git a/test/stdout/4000 b/test/stdout/4000
index ae27f52..24b8e28 100644
--- a/test/stdout/4000
+++ b/test/stdout/4000
@@ -42,3 +42,14 @@
 354 Enter message, ending with "." on a line by itself
 250 OK id=10HmbA-0005vi-00
 221 myhost.test.ex closing connection
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250-myhost.test.ex Hello CALLER at test.ex
+250-SIZE 52428800
+250-8BITMIME
+250-PIPELINING
+250 HELP
+250 OK
+250 Accepted
+354 Enter message, ending with "." on a line by itself
+250 OK id=10HmbB-0005vi-00
+221 myhost.test.ex closing connection