[exim-cvs] SPF: harden against crafted DNS responses

Pàgina inicial
Delete this message
Reply to this message
Autor: Exim Git Commits Mailing List
Data:  
A: exim-cvs
Assumpte: [exim-cvs] SPF: harden against crafted DNS responses
Gitweb: https://git.exim.org/exim.git/commitdiff/654056e44fc93a0ee7c09d1228933e8af6862206
Commit:     654056e44fc93a0ee7c09d1228933e8af6862206
Parent:     a355463cfc6479893c6212056a5ca7e6bf2d450b
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Tue Oct 10 12:45:27 2023 +0100
Committer:  Heiko Schlittermann (HS12-RIPE) <hs@???>
CommitDate: Sat Oct 14 23:50:37 2023 +0200


    SPF: harden against crafted DNS responses


    (cherry picked from commit 4f07f38374f8662c318699fb30432273ffcfe0d3)
---
 src/src/spf.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)


diff --git a/src/src/spf.c b/src/src/spf.c
index db6eea3a8..1981d81b6 100644
--- a/src/src/spf.c
+++ b/src/src/spf.c
@@ -120,6 +120,7 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
     switch(rr_type)
       {
       case T_MX:
+    if (rr->size < 2) continue;
     s += 2;    /* skip the MX precedence field */
       case T_PTR:
     {
@@ -135,6 +136,7 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
     gstring * g = NULL;
     uschar chunk_len;


+    if (rr->size < 1+6) continue;        /* min for version str */
     if (strncmpic(rr->data+1, US SPF_VER_STR, 6) != 0)
       {
       HDEBUG(D_host_lookup) debug_printf("not an spf record: %.*s\n",
@@ -142,9 +144,12 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
       continue;
       }


-    for (int off = 0; off < rr->size; off += chunk_len)
+    /* require 1 byte for the chunk_len */
+    for (int off = 0; off < rr->size - 1; off += chunk_len)
       {
-      if (!(chunk_len = s[off++])) break;
+      if (  !(chunk_len = s[off++])
+         || rr->size < off + chunk_len    /* ignore bogus size chunks */
+         ) break;
       g = string_catn(g, s+off, chunk_len);
       }
     if (!g)


--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-cvs.lists.exim.org/
## unsubscribe (doesn't require an account):
## exim-cvs-unsubscribe@???
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/