From 183389fae10672e8d5ffb1f14f23a179798f483a Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 16 Dec 2020 19:07:51 +0000 Subject: Fix matching of long addresses. Bug 2677 --- src/src/match.c | 6 ++++-- src/src/rewrite.c | 23 ++++++++++------------- 2 files changed, 14 insertions(+), 15 deletions(-) (limited to 'src') diff --git a/src/src/match.c b/src/src/match.c index 6a3314194..bf8cb3b98 100644 --- a/src/src/match.c +++ b/src/src/match.c @@ -1269,9 +1269,11 @@ compared. Therefore, Exim now forces the entire address into lower case here, provided that "caseless" is set. (It is FALSE for calls for matching rewriting patterns.) Otherwise just the domain is lower cases. A magic item "+caseful" in the list can be used to restore a caseful copy of the local part from the -original address. */ +original address. +Limit the subject address size to avoid mem-exhastion attacks. The size chosen +is historical (we used to use big_buffer her). */ -if ((len = Ustrlen(address)) > 255) len = 255; +if ((len = Ustrlen(address)) > BIG_BUFFER_SIZE) len = BIG_BUFFER_SIZE; ab.address = string_copyn(address, len); for (uschar * p = ab.address + len - 1; p >= ab.address; p--) diff --git a/src/src/rewrite.c b/src/src/rewrite.c index 7bff8a273..d003c6ce0 100644 --- a/src/src/rewrite.c +++ b/src/src/rewrite.c @@ -109,11 +109,11 @@ int yield_start = 0, yield_end = 0; if (whole) *whole = FALSE; -/* Scan the rewriting rules */ +/* Scan the rewriting rules, ignoring any without matching flag */ for (rewrite_rule * rule = rewrite_rules; rule && !done; - rule_number++, rule = rule->next) + rule_number++, rule = rule->next) if (rule->flags & flag) { int start, end, pdomain; int count = 0; @@ -121,10 +121,6 @@ for (rewrite_rule * rule = rewrite_rules; const uschar *save_domain; uschar *error, *new, *newparsed; - /* Ensure that the flag matches the flags in the rule. */ - - if (!(rule->flags & flag)) continue; - /* Come back here for a repeat after a successful rewrite. We do this only so many times. */ @@ -451,6 +447,7 @@ int lastnewline = 0; header_line *newh = NULL; rmark function_reset_point = store_mark(); uschar *s = Ustrchr(h->text, ':') + 1; + while (isspace(*s)) s++; DEBUG(D_rewrite) @@ -480,10 +477,10 @@ while (*s) the next address, saving the start of the old one. */ *ss = 0; - recipient = parse_extract_address(s,&errmess,&start,&end,&domain,FALSE); + recipient = parse_extract_address(s, &errmess, &start, &end, &domain, FALSE); *ss = terminator; sprev = s; - s = ss + (terminator? 1:0); + s = ss + (terminator ? 1 :0); while (isspace(*s)) s++; /* There isn't much we can do for syntactic disasters at this stage. @@ -505,7 +502,7 @@ while (*s) as abc@xyz, which the DNS lookup turns into abc@xyz.foo.com). However, if no change is made here, don't bother carrying on. */ - if (routed_old != NULL) + if (routed_old) { if (domain <= 0 || strcmpic(recipient+domain, routed_old) != 0) continue; recipient[domain-1] = 0; @@ -549,7 +546,7 @@ while (*s) "whole" flag set, adjust the pointers so that the whole address gets replaced, except possibly a final \n. */ - if ((existflags & flag) != 0) + if (existflags & flag) { BOOL whole; new = rewrite_one(recipient, flag, &whole, FALSE, NULL, rewrite_rules); @@ -660,7 +657,7 @@ while (*s) /* Set up for scanning the rest of the header */ s = newh->text + remlen; - DEBUG(D_rewrite) debug_printf("remainder: %s", (*s == 0)? US"\n" : s); + DEBUG(D_rewrite) debug_printf("remainder: %s", *s ? s : US"\n"); } } @@ -670,10 +667,10 @@ f.parse_found_group = FALSE; /* If a rewrite happened and "replace" is true, put the new header into the chain following the old one, and mark the old one as replaced. */ -if (newh != NULL && replace) +if (newh && replace) { newh->next = h->next; - if (newh->next == NULL) header_last = newh; + if (!newh->next) header_last = newh; h->type = htype_old; h->next = newh; } -- cgit v1.2.3