[exim-dev] [Bug 2857] New: Off by one error in parse_forward…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2857] New: Off by one error in parse_forward_list() leads to SIGSEGV
https://bugs.exim.org/show_bug.cgi?id=2857

            Bug ID: 2857
           Summary: Off by one error in parse_forward_list() leads to
                    SIGSEGV
           Product: Exim
           Version: 4.95
          Hardware: x86
                OS: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Routing
          Assignee: unallocated@???
          Reporter: dzambonini@???
                CC: exim-dev@???


A change in 4.96 has uncovered an off by one error in parse_forward_list()
leading to SIGSEGV while attempting to copy the error string of a special
address:

After being passed a special address with no text:

parse_forward_list(s=":fail:\n:fail:\0", ...)

   1354   if (special)
   1355     {
   1356     uschar *ss = Ustrchr(s+1, ':') + 1;
   1357     if ((options & specopt) == specbit)
   1358       {
   1359       *error = string_sprintf("\"%.*s\" is not permitted", len, s);
   1360       return FF_ERROR;
   1361       }
   1362     while (*ss && isspace(*ss)) ss++;
   1363     while (s[len] && s[len] != '\n') len++;
   1364     *error = string_copyn(ss, s + len - ss);
   1365     return special;
   1366     }


enters with len=6, s unchanged, and local stack frame ss pointing at ":fail:\0"
as (s + len - ss) yields -1, string_copyn() is passed a length of 4294967295
(-1) leading to SIGSEGV, redacted full trace attached.

Change in 4.96 leading to uncover:

-    while (*ss != 0 && isspace(*ss)) ss++;
-    while (s[len] != 0 && s[len] != '\n') len++;
-    s[len] = 0;
-    *error = string_copy(ss);


+    while (*ss && isspace(*ss)) ss++;
+    while (s[len] && s[len] != '\n') len++;
+    *error = string_copyn(ss, s + len - ss);


--
You are receiving this mail because:
You are on the CC list for the bug.