git://git.exim.org
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
tidying
[exim.git]
/
src
/
src
/
spool_in.c
diff --git
a/src/src/spool_in.c
b/src/src/spool_in.c
index 915798784297ac9f2593708705b4ce4e75657073..6ed5664118f6206d19f5da17c63ca6581ae5acc2 100644
(file)
--- a/
src/src/spool_in.c
+++ b/
src/src/spool_in.c
@@
-25,6
+25,8
@@
fact it won't be written to. Just in case there's a major disaster (e.g.
overwriting some other file descriptor with the value of this one), open it
with append.
overwriting some other file descriptor with the value of this one), open it
with append.
+As called by deliver_message() (at least) we are operating as root.
+
Argument: the id of the message
Returns: fd if file successfully opened and locked, else -1
Argument: the id of the message
Returns: fd if file successfully opened and locked, else -1
@@
-51,11
+53,15
@@
for (i = 0; i < 2; i++)
uschar * fname;
int save_errno;
uschar * fname;
int save_errno;
- message_subdir[0] = split_spool_directory == i
== 0 ? id[5] : 0
;
+ message_subdir[0] = split_spool_directory == i
? '\0' : id[5]
;
fname = spool_fname(US"input", message_subdir, id, US"-D");
DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
fname = spool_fname(US"input", message_subdir, id, US"-D");
DEBUG(D_deliver) debug_printf("Trying spool file %s\n", fname);
- if ((fd = Uopen(fname, O_RDWR | O_APPEND, 0)) >= 0)
+ if ((fd = Uopen(fname,
+#ifdef O_CLOEXEC
+ O_CLOEXEC |
+#endif
+ O_RDWR | O_APPEND, 0)) >= 0)
break;
save_errno = errno;
if (errno == ENOENT)
break;
save_errno = errno;
if (errno == ENOENT)
@@
-81,8
+87,9
@@
an open file descriptor (at least, I think that's the Cygwin story). On real
Unix systems it doesn't make any difference as long as Exim is consistent in
what it locks. */
Unix systems it doesn't make any difference as long as Exim is consistent in
what it locks. */
-(void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) |
- FD_CLOEXEC);
+#ifndef O_CLOEXEC
+(void)fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
+#endif
lock_data.l_type = F_WRLCK;
lock_data.l_whence = SEEK_SET;
lock_data.l_type = F_WRLCK;
lock_data.l_whence = SEEK_SET;
@@
-215,6
+222,8
@@
have been the cause of that incident, but in any case, this code must be robust
against such an event, and if such a file is encountered, it must be treated as
malformed.
against such an event, and if such a file is encountered, it must be treated as
malformed.
+As called from deliver_message() (at least) we are running as root.
+
Arguments:
name name of the header file, including the -H
read_headers TRUE if in-store header structures are to be built
Arguments:
name name of the header file, including the -H
read_headers TRUE if in-store header structures are to be built
@@
-223,7
+232,7
@@
Arguments:
Returns: spool_read_OK success
spool_read_notopen open failed
spool_read_enverror error in the envelope portion
Returns: spool_read_OK success
spool_read_notopen open failed
spool_read_enverror error in the envelope portion
- spool_read_hdr
d
rror error in the header portion
+ spool_read_hdr
e
rror error in the header portion
*/
int
*/
int
@@
-476,21
+485,24
@@
for (;;)
else if (Ustrncmp(p, "cl ", 3) == 0)
{
else if (Ustrncmp(p, "cl ", 3) == 0)
{
-
int
index, count;
- uschar name[20]; /* Need plenty of space for %
d
format */
- tree_node *node;
- if ( sscanf(CS big_buffer + 5, "%
d %d
", &index, &count) != 2
+
unsigned
index, count;
+ uschar name[20]; /* Need plenty of space for %
u
format */
+ tree_node *
node;
+ if ( sscanf(CS big_buffer + 5, "%
u %u
", &index, &count) != 2
|| index >= 20
|| index >= 20
+ || count > 16384 /* arbitrary limit on variable size */
)
goto SPOOL_FORMAT_ERROR;
if (index < 10)
)
goto SPOOL_FORMAT_ERROR;
if (index < 10)
- (void) string_format(name, sizeof(name), "%c%
d
", 'c', index);
+ (void) string_format(name, sizeof(name), "%c%
u
", 'c', index);
else
else
- (void) string_format(name, sizeof(name), "%c%
d
", 'm', index - 10);
+ (void) string_format(name, sizeof(name), "%c%
u
", 'm', index - 10);
node = acl_var_create(name);
node->data.ptr = store_get(count + 1);
node = acl_var_create(name);
node->data.ptr = store_get(count + 1);
+ /* We sanity-checked the count, so disable the Coverity error */
+ /* coverity[tainted_data] */
if (fread(node->data.ptr, 1, count+1, f) < count) goto SPOOL_READ_ERROR;
if (fread(node->data.ptr, 1, count+1, f) < count) goto SPOOL_READ_ERROR;
- (
(uschar*)node->data.ptr)[count] = 0
;
+ (
US node->data.ptr)[count] = '\0'
;
}
break;
}
break;
@@
-660,10
+672,12
@@
DEBUG(D_deliver)
#endif /* COMPILE_UTILITY */
/* After reading the tree, the next line has not yet been read into the
#endif /* COMPILE_UTILITY */
/* After reading the tree, the next line has not yet been read into the
-buffer. It contains the count of recipients which follow on separate lines. */
+buffer. It contains the count of recipients which follow on separate lines.
+Apply an arbitrary sanity check.*/
if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
if (Ufgets(big_buffer, big_buffer_size, f) == NULL) goto SPOOL_READ_ERROR;
-if (sscanf(CS big_buffer, "%d", &rcount) != 1) goto SPOOL_FORMAT_ERROR;
+if (sscanf(CS big_buffer, "%d", &rcount) != 1 || rcount > 16384)
+ goto SPOOL_FORMAT_ERROR;
#ifndef COMPILE_UTILITY
DEBUG(D_deliver) debug_printf("recipients_count=%d\n", rcount);
#ifndef COMPILE_UTILITY
DEBUG(D_deliver) debug_printf("recipients_count=%d\n", rcount);
@@
-672,6
+686,10
@@
DEBUG(D_deliver) debug_printf("recipients_count=%d\n", rcount);
recipients_list_max = rcount;
recipients_list = store_get(rcount * sizeof(recipient_item));
recipients_list_max = rcount;
recipients_list = store_get(rcount * sizeof(recipient_item));
+/* We sanitised the count and know we have enough memory, so disable
+the Coverity error on recipients_count */
+/* coverity[tainted_data] */
+
for (recipients_count = 0; recipients_count < rcount; recipients_count++)
{
int nn;
for (recipients_count = 0; recipients_count < rcount; recipients_count++)
{
int nn;
git://git.exim.org / exim.git / blobdiff