Fix $regex<n> use-after-free. Bug 2915

author: Jeremy Harris <jgh146exb@wizmail.org> 2022-08-31 15:37:40 +0100
committer: Jeremy Harris <jgh146exb@wizmail.org> 2022-08-31 15:57:29 +0100
commit: 4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2 (patch)
tree: f8041218c4d3a259b1a5c5b72ad944424f40a922 /src
parent: 1072af868662ea8fec30454c2d62afdee24f2c8e (diff)
6 files changed, 24 insertions, 16 deletions
diff --git a/src/src/exim.c b/src/src/exim.c
index ea4286af3..b9328f017 100644
--- a/src/src/exim.c
+++ b/src/src/exim.c
@@ -2000,8 +2000,6 @@ regex_whitelisted_macro =
   regex_must_compile(US"^[A-Za-z0-9_/.-]*$", MCS_NOFLAGS, TRUE);
 #endif
 
-for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
-
 /* If the program is called as "mailq" treat it as equivalent to "exim -bp";
 this seems to be a generally accepted convention, since one finds symbolic
 links called "mailq" in standard OS configurations. */
@@ -6089,7 +6087,7 @@ MORELOOP:
   deliver_localpart_data = deliver_domain_data =
   recipient_data = sender_data = NULL;
   acl_var_m = NULL;
-  for(int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
+  regex_vars_clear();
 
   store_reset(reset_point);
   }
diff --git a/src/src/expand.c b/src/src/expand.c
index ffbdc14e5..89de56255 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -1860,7 +1860,7 @@ else if (Ustrncmp(name, "r_", 2) == 0)
   return node ? node->data.ptr : strict_acl_vars ? NULL : US"";
   }
 
-/* Handle $auth<n> variables. */
+/* Handle $auth<n>, $regex<n> variables. */
 
 if (Ustrncmp(name, "auth", 4) == 0)
   {
diff --git a/src/src/functions.h b/src/src/functions.h
index 92a4831e3..345d7bce6 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -447,6 +447,7 @@ extern BOOL    regex_match_and_setup(const pcre2_code *, const uschar *, int, in
 extern const pcre2_code *regex_compile(const uschar *, mcs_flags, uschar **,
 		pcre2_compile_context *);
 extern const pcre2_code *regex_must_compile(const uschar *, mcs_flags, BOOL);
+extern void    regex_vars_clear(void);
 extern void    retry_add_item(address_item *, uschar *, int);
 extern BOOL    retry_check_address(const uschar *, host_item *, uschar *, BOOL,
                  uschar **, uschar **);
diff --git a/src/src/globals.c b/src/src/globals.c
index 574ee60a4..cafb15992 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -1324,7 +1324,7 @@ const pcre2_code *regex_EARLY_PIPE   = NULL;
 int    regex_cachesize		     = 0;
 const pcre2_code *regex_ismsgid      = NULL;
 const pcre2_code *regex_smtp_code    = NULL;
-const uschar *regex_vars[REGEX_VARS];
+const uschar *regex_vars[REGEX_VARS] = { 0 };;
 #ifdef WHITELIST_D_MACROS
 const pcre2_code *regex_whitelisted_macro = NULL;
 #endif
diff --git a/src/src/regex.c b/src/src/regex.c
index 5de1c1704..25496f950 100644
--- a/src/src/regex.c
+++ b/src/src/regex.c
@@ -93,19 +93,27 @@ return FAIL;
 }
 
 
+/* reset expansion variables */
+void
+regex_vars_clear(void)
+{
+regex_match_string = NULL;
+for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
+}
+
+
 
 int
-regex(const uschar **listptr, BOOL cacheable)
+regex(const uschar ** listptr, BOOL cacheable)
 {
 unsigned long mbox_size;
-FILE *mbox_file;
-pcre_list *re_list_head;
-uschar *linebuffer;
+FILE * mbox_file;
+pcre_list * re_list_head;
+uschar * linebuffer;
 long f_pos = 0;
 int ret = FAIL;
 
-/* reset expansion variable */
-regex_match_string = NULL;
+regex_vars_clear();
 
 if (!mime_stream)				/* We are in the DATA ACL */
   {
@@ -167,14 +175,13 @@ return ret;
 int
 mime_regex(const uschar **listptr, BOOL cacheable)
 {
-pcre_list *re_list_head = NULL;
-FILE *f;
-uschar *mime_subject = NULL;
+pcre_list * re_list_head = NULL;
+FILE * f;
+uschar * mime_subject = NULL;
 int mime_subject_len = 0;
 int ret;
 
-/* reset expansion variable */
-regex_match_string = NULL;
+regex_vars_clear();
 
 /* precompile our regexes */
 if (!(re_list_head = compile(*listptr, cacheable)))
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 11e7436b9..a15280bdc 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -2157,8 +2157,10 @@ prdr_requested = FALSE;
 #ifdef SUPPORT_I18N
 message_smtputf8 = FALSE;
 #endif
+regex_vars_clear();
 body_linecount = body_zerocount = 0;
 
+lookup_value = NULL;				/* Can be set by ACL */
 sender_rate = sender_rate_limit = sender_rate_period = NULL;
 ratelimiters_mail = NULL;           /* Updated by ratelimit ACL condition */
                    /* Note that ratelimiters_conn persists across resets. */
author	Jeremy Harris <jgh146exb@wizmail.org>	2022-08-31 15:37:40 +0100
committer	Jeremy Harris <jgh146exb@wizmail.org>	2022-08-31 15:57:29 +0100
commit	4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2 (patch)
tree	f8041218c4d3a259b1a5c5b72ad944424f40a922 /src
parent	1072af868662ea8fec30454c2d62afdee24f2c8e (diff)