Gitweb:
https://git.exim.org/exim.git/commitdiff/4f07f38374f8662c318699fb30432273ffcfe0d3
Commit: 4f07f38374f8662c318699fb30432273ffcfe0d3
Parent: 35916b2f03491ce505f69b15096bfd8d00e08286
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Tue Oct 10 12:45:27 2023 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Tue Oct 10 12:45:27 2023 +0100
SPF: harden against crafted DNS responses
---
src/src/spf.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/src/spf.c b/src/src/spf.c
index ef55520b1..16c840d71 100644
--- a/src/src/spf.c
+++ b/src/src/spf.c
@@ -122,6 +122,7 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
switch(rr_type)
{
case T_MX:
+ if (rr->size < 2) continue;
s += 2; /* skip the MX precedence field */
case T_PTR:
{
@@ -137,6 +138,7 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
gstring * g = NULL;
uschar chunk_len;
+ if (rr->size < 1+6) continue; /* min for version str */
if (strncmpic(rr->data+1, US SPF_VER_STR, 6) != 0)
{
HDEBUG(D_host_lookup) debug_printf("not an spf record: %.*s\n",
@@ -144,9 +146,12 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
continue;
}
- for (int off = 0; off < rr->size; off += chunk_len)
+ /* require 1 byte for the chunk_len */
+ for (int off = 0; off < rr->size - 1; off += chunk_len)
{
- if (!(chunk_len = s[off++])) break;
+ if ( !(chunk_len = s[off++])
+ || rr->size < off + chunk_len /* ignore bogus size chunks */
+ ) break;
g = string_catn(g, s+off, chunk_len);
}
if (!g)
--
## subscription configuration (requires account):
##
https://lists.exim.org/mailman3/postorius/lists/exim-cvs.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-cvs-unsubscribe@???
## Exim details at
http://www.exim.org/
## Please use the Wiki with this list -
http://wiki.exim.org/
