Gitweb:
https://git.exim.org/exim.git/commitdiff/56ac062a3ff94fc4e1bbfc2293119c079a4e980b
Commit: 56ac062a3ff94fc4e1bbfc2293119c079a4e980b
Parent: fcb900d84cc71cb169bd1b223920de1026772695
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Jan 10 21:15:11 2019 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Thu Jan 10 21:15:11 2019 +0000
More checks on header line length during reception
---
doc/doc-txt/ChangeLog | 4 ++++
src/src/receive.c | 9 +++++++--
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index a3de864..e2dd71b 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -187,6 +187,10 @@ JH/40 Fix the feature-cache refresh for EXPERIMENTAL_PIPE_CONNECT. Previously
it only wrote the new authenticators, resulting in a lack of tracking of
peer changes of ESMTP extensions until the next cache flush.
+JH/41 Fix the loop reading a message header line to check for integer overflow,
+ and more-often against header_maxsize. Previously a crafted message could
+ induce a crash of the recive process; now the message is cleanly rejected.
+
Exim version 4.91
-----------------
diff --git a/src/src/receive.c b/src/src/receive.c
index 6d54ad3..a0467e8 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -1827,8 +1827,11 @@ for (;;)
if (ptr >= header_size - 4)
{
int oldsize = header_size;
- /* header_size += 256; */
+
+ if (header_size >= INT_MAX/2)
+ goto OVERSIZE;
header_size *= 2;
+
if (!store_extend(next->text, oldsize, header_size))
next->text = store_newblock(next->text, header_size, ptr);
}
@@ -1934,6 +1937,7 @@ for (;;)
if (message_size >= header_maxsize)
{
+OVERSIZE:
next->text[ptr] = 0;
next->slen = ptr;
next->type = htype_other;
@@ -2005,7 +2009,8 @@ for (;;)
if (nextch == ' ' || nextch == '\t')
{
next->text[ptr++] = nextch;
- message_size++;
+ if (++message_size >= header_maxsize)
+ goto OVERSIZE;
continue; /* Iterate the loop */
}
else if (nextch != EOF) (receive_ungetc)(nextch); /* For next time */
