diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2018-02-07 23:09:55 +0000 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2018-02-07 23:09:55 +0000 |
commit | 744976d4d6e6c8f8ea36ad19a6570c45f21aa4f4 (patch) | |
tree | de37ffe2cbeafa00e0636ef740c69cd6a94ead87 | |
parent | 051d5efab898146f3769c72e58af4577164d2dab (diff) |
DKIM: fix buffer overflow in verify
Caused crash in free() by corrupting malloc metadata.
Reported-by: University of Cambridge
Broken-by: 80a47a2c96
-rw-r--r-- | doc/doc-txt/ChangeLog | 3 | ||||
-rw-r--r-- | src/src/pdkim/pdkim.c | 5 |
2 files changed, 6 insertions, 2 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 8221fb564..868e59106 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -82,6 +82,9 @@ JH/15 Relax results from ACL control request to enable cutthrough, in ignoring. This covers use with PRDR, frozen messages, queue-only and fake-reject. +JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc + metadata, resulting in a crash in free(). + Exim version 4.90 ----------------- diff --git a/src/src/pdkim/pdkim.c b/src/src/pdkim/pdkim.c index eec1a9c16..df507381f 100644 --- a/src/src/pdkim/pdkim.c +++ b/src/src/pdkim/pdkim.c @@ -710,7 +710,7 @@ if (b->canon_method == PDKIM_CANON_RELAXED) if (!relaxed_data) { BOOL seen_wsp = FALSE; - const uschar * p; + const uschar * p, * r; int q = 0; /* We want to be able to free this else we allocate @@ -721,7 +721,7 @@ if (b->canon_method == PDKIM_CANON_RELAXED) relaxed_data = store_malloc(sizeof(blob) + orig_data->len+1); relaxed_data->data = US (relaxed_data+1); - for (p = orig_data->data; *p; p++) + for (p = orig_data->data, r = p + orig_data->len; p < r; p++) { char c = *p; if (c == '\r') @@ -848,6 +848,7 @@ ctx->linebuf_offset = 0; /* -------------------------------------------------------------------------- */ /* Call from pdkim_feed below for processing complete body lines */ +/* NOTE: the line is not NUL-terminated; but we have a count */ static void pdkim_bodyline_complete(pdkim_ctx * ctx) |