summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2018-02-07 23:09:55 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2018-02-07 23:09:55 +0000
commit744976d4d6e6c8f8ea36ad19a6570c45f21aa4f4 (patch)
treede37ffe2cbeafa00e0636ef740c69cd6a94ead87
parent051d5efab898146f3769c72e58af4577164d2dab (diff)
DKIM: fix buffer overflow in verify
Caused crash in free() by corrupting malloc metadata. Reported-by: University of Cambridge Broken-by: 80a47a2c96
-rw-r--r--doc/doc-txt/ChangeLog3
-rw-r--r--src/src/pdkim/pdkim.c5
2 files changed, 6 insertions, 2 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 8221fb564..868e59106 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -82,6 +82,9 @@ JH/15 Relax results from ACL control request to enable cutthrough, in
ignoring. This covers use with PRDR, frozen messages, queue-only and
fake-reject.
+JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
+ metadata, resulting in a crash in free().
+
Exim version 4.90
-----------------
diff --git a/src/src/pdkim/pdkim.c b/src/src/pdkim/pdkim.c
index eec1a9c16..df507381f 100644
--- a/src/src/pdkim/pdkim.c
+++ b/src/src/pdkim/pdkim.c
@@ -710,7 +710,7 @@ if (b->canon_method == PDKIM_CANON_RELAXED)
if (!relaxed_data)
{
BOOL seen_wsp = FALSE;
- const uschar * p;
+ const uschar * p, * r;
int q = 0;
/* We want to be able to free this else we allocate
@@ -721,7 +721,7 @@ if (b->canon_method == PDKIM_CANON_RELAXED)
relaxed_data = store_malloc(sizeof(blob) + orig_data->len+1);
relaxed_data->data = US (relaxed_data+1);
- for (p = orig_data->data; *p; p++)
+ for (p = orig_data->data, r = p + orig_data->len; p < r; p++)
{
char c = *p;
if (c == '\r')
@@ -848,6 +848,7 @@ ctx->linebuf_offset = 0;
/* -------------------------------------------------------------------------- */
/* Call from pdkim_feed below for processing complete body lines */
+/* NOTE: the line is not NUL-terminated; but we have a count */
static void
pdkim_bodyline_complete(pdkim_ctx * ctx)