From b975ba52a239bbf56b61a8af88d480bf07c20d81 Mon Sep 17 00:00:00 2001 From: Philip Hazel Date: Wed, 29 Dec 2004 10:16:52 +0000 Subject: The host_aton() buffer overflow: (1) Put a check in host_aton() itself; (2) noted that the exploit via dnsdb/ptr lookup was already fortuitously fixed by a previous change. --- src/src/host.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/src/host.c b/src/src/host.c index fb58ab4da..46c57683a 100644 --- a/src/src/host.c +++ b/src/src/host.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/host.c,v 1.3 2004/11/18 11:17:33 ph10 Exp $ */ +/* $Cambridge: exim/src/src/host.c,v 1.4 2004/12/29 10:16:53 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -754,12 +754,18 @@ if (Ustrchr(address, ':') != NULL) if (*p == ':') p++; - /* Split the address into components separated by colons. */ + /* Split the address into components separated by colons. The input address + is supposed to be checked for syntax. There was a case where this was + overlooked; to guard against that happening again, check here and crash if + there is a violation. */ while (*p != 0) { int len = Ustrcspn(p, ":"); if (len == 0) nulloffset = ci; + if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "Internal error: invalid IPv6 address \"%s\" passed to host_aton()", + address); component[ci++] = p; p += len; if (*p == ':') p++; -- cgit v1.2.3