Gitweb:
https://git.exim.org/exim.git/commitdiff/5fae29d5b430d6a5f58c6c02cdefbbf307e258a9
Commit: 5fae29d5b430d6a5f58c6c02cdefbbf307e258a9
Parent: 054ce030a60f22a1acc26c419907d276406080f9
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Dec 12 23:43:10 2019 +0000
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Thu Dec 12 23:43:10 2019 +0000
Fix taint issue with retry records. Bug 2492
---
doc/doc-txt/ChangeLog | 4 ++++
src/src/retry.c | 25 ++++++++++++++-----------
2 files changed, 18 insertions(+), 11 deletions(-)
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 1cc3d63..f9a939d 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -35,6 +35,10 @@ JH/08 Bug 2491: Use tainted buffers for the transport smtp context. Previously
JH/09 Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix
the ordering of its ARC headers. This caused a crash.
+JH/10 Bug 2492: Use tainted memory for retry record when needed. Previously when
+ a new record was being constructed with information from the peer, a trap
+ was taken.
+
Exim version 4.93
-----------------
diff --git a/src/src/retry.c b/src/src/retry.c
index d068f54..175da21 100644
--- a/src/src/retry.c
+++ b/src/src/retry.c
@@ -659,7 +659,8 @@ for (int i = 0; i < 3; i++)
/* Read a retry record from the database or construct a new one.
Ignore an old one if it is too old since it was last updated. */
- retry_record = dbfn_read(dbm_file, rti->key);
+ retry_record = dbfn_read_with_length(dbm_file, rti->key,
+ &message_space);
if ( retry_record
&& now - retry_record->time_stamp > retry_data_expire)
retry_record = NULL;
@@ -675,7 +676,7 @@ for (int i = 0; i < 3; i++)
retry_record->expired = FALSE;
retry_record->text[0] = 0; /* just in case */
}
- else message_space = Ustrlen(retry_record->text);
+ else message_space -= sizeof(dbdata_retry);
/* Compute how long this destination has been failing */
@@ -806,15 +807,17 @@ for (int i = 0; i < 3; i++)
if (next_try - now > retry_interval_max)
next_try = now + retry_interval_max;
- /* If the new message length is greater than the previous one, we
- have to copy the record first. */
-
- if (message_length > message_space)
- {
- dbdata_retry *newr = store_get(sizeof(dbdata_retry) + message_length, FALSE);
- memcpy(newr, retry_record, sizeof(dbdata_retry));
- retry_record = newr;
- }
+ /* If the new message length is greater than the previous one, we have
+ to copy the record first. If we're using an old one, the read used
+ tainted memory so we're ok to write into it. */
+
+ if (message_length > message_space)
+ {
+ dbdata_retry * newr =
+ store_get(sizeof(dbdata_retry) + message_length, is_tainted(message));
+ memcpy(newr, retry_record, sizeof(dbdata_retry));
+ retry_record = newr;
+ }
/* Set up the retry record; message_length may be less than the string
length for very long error strings. */
