DNS: more hardening against crafted responses

[exim.git] / src / src / acl.c

diff --git a/src/src/acl.c b/src/src/acl.c
index 1e7d28a907d4857f1df27b32c8f8f65e2fa9cbcb..302dedaeb21fdde5f982fd5613701b04810a13f2 100644 (file)
--- a/src/src/acl.c
+++ b/src/src/acl.c
@@ -5,6 +5,7 @@
 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
 /* Copyright (c) University of Cambridge 1995 - 2018 */
 /* See the file NOTICE for conditions of use and distribution. */
+/* SPDX-License-Identifier: GPL-2.0-or-later */
 
 /* Code for handling Access Control Lists (ACLs) */
 
@@ -222,7 +223,7 @@ static condition_def conditions[] = {
   },
   [ACLC_ENCRYPTED] =           { US"encrypted",        FALSE, FALSE,
                                  ACL_BIT_NOTSMTP | ACL_BIT_NOTSMTP_START |
-                                   ACL_BIT_HELO,
+                                   ACL_BIT_CONNECT
   },
 
   [ACLC_ENDPASS] =             { US"endpass",  TRUE, TRUE,     0 },
@@ -1091,7 +1092,7 @@ for (header_line * h = acl_added_headers; h; h = h->next)
   g = string_append_listele_n(g, '\n', h->text, i);
   }
 
-return g ? g->s : NULL;
+return string_from_gstring(g);
 }
 
 
@@ -1433,6 +1434,7 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
 
   /* Extract the numerical SRV fields (p is incremented) */
 
+  if (rr_bad_size(rr, 3 * sizeof(uint16_t))) continue;
   GETSHORT(priority, p);
   GETSHORT(weight, p);
   GETSHORT(port, p);
@@ -1642,6 +1644,30 @@ return period;
 
 
 
+static BOOL
+sender_helo_verified_internal(void)
+{
+/* We can test the result of optional HELO verification that might have
+occurred earlier. If not, we can attempt the verification now. */
+
+if (!f.helo_verified && !f.helo_verify_failed) smtp_verify_helo();
+return f.helo_verified;
+}
+
+static int
+sender_helo_verified_cond(void)
+{
+return sender_helo_verified_internal() ? OK : FAIL;
+}
+
+uschar *
+sender_helo_verified_boolstr(void)
+{
+return sender_helo_verified_internal() ? US"yes" : US"no";
+}
+
+
+
 /* This function implements the "verify" condition. It is called when
 encountered in any ACL, because some tests are almost always permitted. Some
 just don't make sense, and always fail (for example, an attempt to test a host
@@ -1738,11 +1764,7 @@ switch(vp->value)
     return FAIL;
 
   case VERIFY_HELO:
-    /* We can test the result of optional HELO verification that might have
-    occurred earlier. If not, we can attempt the verification now. */
-
-    if (!f.helo_verified && !f.helo_verify_failed) smtp_verify_helo();
-    return f.helo_verified ? OK : FAIL;
+    return sender_helo_verified_cond();
 
   case VERIFY_CSA:
     /* Do Client SMTP Authorization checks in a separate function, and turn the
@@ -2529,6 +2551,7 @@ else switch(mode)
     anchor = NULL; /* silence an "unused" complaint */
     log_write(0, LOG_MAIN|LOG_PANIC_DIE,
       "internal ACL error: unknown ratelimit mode %d", mode);
+    /*NOTREACHED*/
     break;
   }
 
@@ -3406,7 +3429,7 @@ for (; cb; cb = cb->next)
        case CONTROL_FAKEREJECT:
          cancel_cutthrough_connection(TRUE, US"fakereject");
        case CONTROL_FAKEDEFER:
-         fake_response = (control_type == CONTROL_FAKEDEFER) ? DEFER : FAIL;
+         fake_response = control_type == CONTROL_FAKEDEFER ? DEFER : FAIL;
          if (*p == '/')
            {
            const uschar *pp = p + 1;
@@ -3751,8 +3774,9 @@ for (; cb; cb = cb->next)
       if (!f.dmarc_has_been_checked)
        dmarc_process();
       f.dmarc_has_been_checked = TRUE;
+
       /* used long way of dmarc_exim_expand_query() in case we need more
-       * view into the process in the future. */
+      view into the process in the future. */
       rc = match_isinlist(dmarc_exim_expand_query(DMARC_VERIFY_STATUS),
                          &arg, 0, NULL, NULL, MCL_STRING, TRUE, NULL);
       break;