https://bugs.exim.org/show_bug.cgi?id=2857
Bug ID: 2857
Summary: Off by one error in parse_forward_list() leads to
SIGSEGV
Product: Exim
Version: 4.95
Hardware: x86
OS: Linux
Status: NEW
Severity: bug
Priority: medium
Component: Routing
Assignee: unallocated@???
Reporter: dzambonini@???
CC: exim-dev@???
A change in 4.96 has uncovered an off by one error in parse_forward_list()
leading to SIGSEGV while attempting to copy the error string of a special
address:
After being passed a special address with no text:
parse_forward_list(s=":fail:\n:fail:\0", ...)
1354 if (special)
1355 {
1356 uschar *ss = Ustrchr(s+1, ':') + 1;
1357 if ((options & specopt) == specbit)
1358 {
1359 *error = string_sprintf("\"%.*s\" is not permitted", len, s);
1360 return FF_ERROR;
1361 }
1362 while (*ss && isspace(*ss)) ss++;
1363 while (s[len] && s[len] != '\n') len++;
1364 *error = string_copyn(ss, s + len - ss);
1365 return special;
1366 }
enters with len=6, s unchanged, and local stack frame ss pointing at ":fail:\0"
as (s + len - ss) yields -1, string_copyn() is passed a length of 4294967295
(-1) leading to SIGSEGV, redacted full trace attached.
Change in 4.96 leading to uncover:
- while (*ss != 0 && isspace(*ss)) ss++;
- while (s[len] != 0 && s[len] != '\n') len++;
- s[len] = 0;
- *error = string_copy(ss);
+ while (*ss && isspace(*ss)) ss++;
+ while (s[len] && s[len] != '\n') len++;
+ *error = string_copyn(ss, s + len - ss);
--
You are receiving this mail because:
You are on the CC list for the bug.
