summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2014-12-30 20:39:02 +0000
committerJeremy Harris <jgh146exb@wizmail.org>2014-12-30 20:51:09 +0000
commitbf485bf34df3fc2214765497a5552851c6a8977a (patch)
tree4544ffd8f02131a0e40fb9c93f4b38b4fcb664b7
parentad4c5ff9c1656eb9691fb1687ce7e0c59291ebda (diff)
Fix crash in mime acl when a parameter is unterminated
Verified-by: Wolfgang Breyha <wbreyha@gmx.net>
-rw-r--r--src/src/mime.c33
-rw-r--r--test/confs/40001
-rw-r--r--test/log/40009
-rw-r--r--test/mail/4000.userx36
-rw-r--r--test/scripts/4000-scanning/400027
-rw-r--r--test/stdout/400011
6 files changed, 92 insertions, 25 deletions
diff --git a/src/src/mime.c b/src/src/mime.c
index a61e9f22f..e5fe476d0 100644
--- a/src/src/mime.c
+++ b/src/src/mime.c
@@ -599,46 +599,35 @@ NEXT_PARAM_SEARCH:
/* found an interesting parameter? */
if (strncmpic(mp->name, p, mp->namelen) == 0)
{
- uschar * q = p + mp->namelen;
- int plen = 0;
int size = 0;
int ptr = 0;
/* yes, grab the value and copy to its corresponding expansion variable */
- while(*q && *q != ';') /* ; terminates */
- if (*q == '"')
+ p += mp->namelen;
+ while(*p && *p != ';') /* ; terminates */
+ if (*p == '"')
{
- q++; /* skip leading " */
- plen++; /* and account for the skip */
- while(*q && *q != '"') /* " protects ; */
- {
- param_value = string_cat(param_value, &size, &ptr, q++, 1);
- plen++;
- }
- if (*q)
- {
- q++; /* skip trailing " */
- plen++;
- }
+ p++; /* skip leading " */
+ while(*p && *p != '"') /* " protects ; */
+ param_value = string_cat(param_value, &size, &ptr, p++, 1);
+ if (*p) p++; /* skip trailing " */
}
else
- {
- param_value = string_cat(param_value, &size, &ptr, q++, 1);
- plen++;
- }
+ param_value = string_cat(param_value, &size, &ptr, p++, 1);
+ if (*p) p++; /* skip trailing ; */
if (param_value)
{
+ uschar * dummy;
param_value[ptr++] = '\0';
param_value = rfc2047_decode(param_value,
- check_rfc2047_length, NULL, 32, NULL, &q);
+ check_rfc2047_length, NULL, 32, NULL, &dummy);
debug_printf("Found %s MIME parameter in %s header, "
"value is '%s'\n", mp->name, mime_header_list[i].name,
param_value);
}
*mp->value = param_value;
- p += mp->namelen + plen + 1; /* name=, content, ; */
goto NEXT_PARAM_SEARCH;
}
}
diff --git a/test/confs/4000 b/test/confs/4000
index febe9a5e7..e1275c17d 100644
--- a/test/confs/4000
+++ b/test/confs/4000
@@ -8,6 +8,7 @@ spool_directory = DIR/spool
log_file_path = DIR/spool/log/%slog
gecos_pattern = ""
gecos_name = CALLER_NAME
+log_selector = +subject
# ----- Main settings -----
diff --git a/test/log/4000 b/test/log/4000
index a6f5d2f70..bd4918963 100644
--- a/test/log/4000
+++ b/test/log/4000
@@ -1,9 +1,12 @@
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3058@test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3058@test.ex T="[exim] Re: Bug#286074: eximstats: uses message count as data for\n the \"volume\" charts"
1999-03-02 09:44:33 10HmaX-0005vi-00 => userx <userx@test.ex> R=r1 T=t1
1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3058@test.ex
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3058@test.ex T="Nasty"
1999-03-02 09:44:33 10HmaY-0005vi-00 => userx <userx@test.ex> R=r1 T=t1
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
-1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3059@test.ex
+1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3059@test.ex T="Nasty"
1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx <userx@test.ex> R=r1 T=t1
1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
+1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3059@test.ex T="Nasty3"
+1999-03-02 09:44:33 10HmbA-0005vi-00 => userx <userx@test.ex> R=r1 T=t1
+1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
diff --git a/test/mail/4000.userx b/test/mail/4000.userx
index 725770d63..81b21d224 100644
--- a/test/mail/4000.userx
+++ b/test/mail/4000.userx
@@ -218,3 +218,39 @@ foobar
--T4sUOijqQbZv57TR--
+From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999
+Received: from CALLER (helo=test.ex)
+ by myhost.test.ex with local-esmtp (Exim x.yz)
+ (envelope-from <CALLER@myhost.test.ex>)
+ id 10HmbA-0005vi-00
+ for userx@test.ex; Tue, 2 Mar 1999 09:44:33 +0000
+Date: Tue, 2 Mar 1999 09:44:33 +0000
+From: J Caesar <jcaesar@test.ex>
+To: a-list00@exim.org
+Message-ID: <20041217133501.GA3059@test.ex>
+Mime-Version: 1.0
+Content-Type: text/plain; charset="utf-8""
+Content-Disposition: inline
+Subject: Nasty3
+Sender: CALLER_NAME <CALLER@myhost.test.ex>
+X-0-content-type: text/plain
+X-0-filename:
+X-0-charset: utf-8;
+X-0-boundary:
+X-0-content-disposition: inline
+X-0-content-transfer-encoding:
+X-0-content-id:
+X-0-content-description:
+X-0-is-multipart: 0
+X-0-is-coverletter: 1
+X-0-is-rfc822: 0
+X-0-decode-filename: TESTSUITE/spool/scan/10HmbA-0005vi-00/10HmbA-0005vi-00-00000
+X-0-content-size: 1
+
+--T4sUOijqQbZv57TR
+Content-Type: text/plain;
+
+foobar
+
+--T4sUOijqQbZv57TR--
+
diff --git a/test/scripts/4000-scanning/4000 b/test/scripts/4000-scanning/4000
index 2f760bca0..de175dec5 100644
--- a/test/scripts/4000-scanning/4000
+++ b/test/scripts/4000-scanning/4000
@@ -126,3 +126,30 @@ foobar
.
quit
****
+#
+#
+# This one has a 3rd rotten parameter style
+#
+exim -odi -bs
+ehlo test.ex
+mail from:<>
+rcpt to:<userx@test.ex>
+data
+Date: Fri, 17 Dec 2004 14:35:01 +0100
+From: J Caesar <jcaesar@test.ex>
+To: a-list00@exim.org
+Message-ID: <20041217133501.GA3059@test.ex>
+Mime-Version: 1.0
+Content-Type: text/plain; charset="utf-8""
+Content-Disposition: inline
+Subject: Nasty3
+
+--T4sUOijqQbZv57TR
+Content-Type: text/plain;
+
+foobar
+
+--T4sUOijqQbZv57TR--
+.
+quit
+****
diff --git a/test/stdout/4000 b/test/stdout/4000
index 42d2eefc7..ae27f526e 100644
--- a/test/stdout/4000
+++ b/test/stdout/4000
@@ -31,3 +31,14 @@
354 Enter message, ending with "." on a line by itself
250 OK id=10HmaZ-0005vi-00
221 myhost.test.ex closing connection
+220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+250-myhost.test.ex Hello CALLER at test.ex
+250-SIZE 52428800
+250-8BITMIME
+250-PIPELINING
+250 HELP
+250 OK
+250 Accepted
+354 Enter message, ending with "." on a line by itself
+250 OK id=10HmbA-0005vi-00
+221 myhost.test.ex closing connection