Implement inlist/inlisti expansion conditions

[exim.git] / src / src / smtp_in.c

diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 03374c3ad3d0b288389a3e15f57ca8c1fe52fd94..7ca56e25527cb2747cedfd6a35b3596c6b533e00 100644 (file)
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -1,10 +1,8 @@
-/* $Cambridge: exim/src/src/smtp_in.c,v 1.65 2009/10/15 08:06:23 tom Exp $ */
-

 /*************************************************
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 

-/* Copyright (c) University of Cambridge 1995 - 2007 */
+/* Copyright (c) University of Cambridge 1995 - 2009 */

 /* See the file NOTICE for conditions of use and distribution. */
 
 /* Functions for handling an incoming SMTP call. */
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* Functions for handling an incoming SMTP call. */


@@ -31,15 +29,21 @@ including that header, and restore its value afterwards. */
 
 int allow_severity = LOG_INFO;
 int deny_severity  = LOG_NOTICE;
 
 int allow_severity = LOG_INFO;
 int deny_severity  = LOG_NOTICE;

+uschar *tcp_wrappers_name;

 #endif
 
 
 /* Size of buffer for reading SMTP commands. We used to use 512, as defined
 by RFC 821. However, RFC 1869 specifies that this must be increased for SMTP
 commands that accept arguments, and this in particular applies to AUTH, where
 #endif
 
 
 /* Size of buffer for reading SMTP commands. We used to use 512, as defined
 by RFC 821. However, RFC 1869 specifies that this must be increased for SMTP
 commands that accept arguments, and this in particular applies to AUTH, where

-the data can be quite long. */
+the data can be quite long.  More recently this value was 2048 in Exim; 
+however, RFC 4954 (circa 2007) recommends 12288 bytes to handle AUTH.  Clients
+such as Thunderbird will send an AUTH with an initial-response for GSSAPI. 
+The maximum size of a Kerberos ticket under Windows 2003 is 12000 bytes, and 
+we need room to handle large base64-encoded AUTHs for GSSAPI.
+*/

 
 

-#define smtp_cmd_buffer_size  2048
+#define smtp_cmd_buffer_size  16384

 
 /* Size of buffer for reading SMTP incoming packets */
 
 
 /* Size of buffer for reading SMTP incoming packets */
 


@@ -48,7 +52,7 @@ the data can be quite long. */
 /* Structure for SMTP command list */
 
 typedef struct {
 /* Structure for SMTP command list */
 
 typedef struct {

-  char *name;
+  const char *name;

   int len;
   short int cmd;
   short int has_arg;
   int len;
   short int cmd;
   short int has_arg;


@@ -375,7 +379,7 @@ Returns:      nothing
 */
 
 void
 */
 
 void

-smtp_printf(char *format, ...)
+smtp_printf(const char *format, ...)

 {
 va_list ap;
 
 {
 va_list ap;
 


@@ -386,29 +390,28 @@ va_end(ap);
 
 /* This is split off so that verify.c:respond_printf() can, in effect, call
 smtp_printf(), bearing in mind that in C a vararg function can't directly
 
 /* This is split off so that verify.c:respond_printf() can, in effect, call
 smtp_printf(), bearing in mind that in C a vararg function can't directly

-call another vararg function, only a function which accepts a va_list.
-
-Note also that repeated calls to va_start()/va_end() pairs is claimed to be
-non-portable; meanwhile, va_copy() is also non-portable in that it's C99, so
-we end up needing OS support to define it for us. */
+call another vararg function, only a function which accepts a va_list. */

 
 void
 
 void

-smtp_vprintf(char *format, va_list ap)
+smtp_vprintf(const char *format, va_list ap)

 {
 {

-va_list ap_d;
+BOOL yield;
+
+yield = string_vformat(big_buffer, big_buffer_size, format, ap);

 
 DEBUG(D_receive)
   {
 
 DEBUG(D_receive)
   {

-  uschar *cr, *end;
-  va_copy(ap_d, ap);
-  (void) string_vformat(big_buffer, big_buffer_size, format, ap_d);
-  end = big_buffer + Ustrlen(big_buffer);
-  while ((cr = Ustrchr(big_buffer, '\r')) != NULL)   /* lose CRs */
-    memmove(cr, cr + 1, (end--) - cr);
-  debug_printf("SMTP>> %s", big_buffer);
+  void *reset_point = store_get(0);
+  uschar *msg_copy, *cr, *end;
+  msg_copy = string_copy(big_buffer);
+  end = msg_copy + Ustrlen(msg_copy);
+  while ((cr = Ustrchr(msg_copy, '\r')) != NULL)   /* lose CRs */
+  memmove(cr, cr + 1, (end--) - cr);
+  debug_printf("SMTP>> %s", msg_copy);
+  store_reset(reset_point);

   }
 
   }
 

-if (!string_vformat(big_buffer, big_buffer_size, format, ap))
+if (!yield)

   {
   log_write(0, LOG_MAIN|LOG_PANIC, "string too large in smtp_printf()");
   smtp_closedown(US"Unexpected error");
   {
   log_write(0, LOG_MAIN|LOG_PANIC, "string too large in smtp_printf()");
   smtp_closedown(US"Unexpected error");


@@ -1692,7 +1695,14 @@ if (!sender_host_unknown)
 
   #ifdef USE_TCP_WRAPPERS
   errno = 0;
 
   #ifdef USE_TCP_WRAPPERS
   errno = 0;

-  if (!hosts_ctl("exim",
+  tcp_wrappers_name = expand_string(tcp_wrappers_daemon_name);
+  if (tcp_wrappers_name == NULL)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC_DIE, "Expansion of \"%s\" "
+      "(tcp_wrappers_name) failed: %s", string_printing(tcp_wrappers_name),
+        expand_string_message);
+    }
+  if (!hosts_ctl(tcp_wrappers_name,

          (sender_host_name == NULL)? STRING_UNKNOWN : CS sender_host_name,
          (sender_host_address == NULL)? STRING_UNKNOWN : CS sender_host_address,
          (sender_ident == NULL)? STRING_UNKNOWN : CS sender_ident))
          (sender_host_name == NULL)? STRING_UNKNOWN : CS sender_host_name,
          (sender_host_address == NULL)? STRING_UNKNOWN : CS sender_host_address,
          (sender_ident == NULL)? STRING_UNKNOWN : CS sender_ident))


@@ -3837,6 +3847,32 @@ while (done <= 0)
     toomany = FALSE;
     cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = FALSE;
 
     toomany = FALSE;
     cmd_list[CMD_LIST_STARTTLS].is_mail_cmd = FALSE;
 

+    /* There's an attack where more data is read in past the STARTTLS command
+    before TLS is negotiated, then assumed to be part of the secure session
+    when used afterwards; we use segregated input buffers, so are not
+    vulnerable, but we want to note when it happens and, for sheer paranoia,
+    ensure that the buffer is "wiped".
+    Pipelining sync checks will normally have protected us too, unless disabled
+    by configuration. */
+
+    if (receive_smtp_buffered())
+      {
+      DEBUG(D_any)
+        debug_printf("Non-empty input buffer after STARTTLS; naive attack?");
+      if (tls_active < 0)
+        smtp_inend = smtp_inptr = smtp_inbuffer;
+      /* and if TLS is already active, tls_server_start() should fail */
+      }
+
+    /* There is nothing we value in the input buffer and if TLS is succesfully
+    negotiated, we won't use this buffer again; if TLS fails, we'll just read
+    fresh content into it.  The buffer contains arbitrary content from an
+    untrusted remote source; eg: NOOP <shellcode>\r\nSTARTTLS\r\n
+    It seems safest to just wipe away the content rather than leave it as a
+    target to jump to. */
+
+    memset(smtp_inbuffer, 0, in_buffer_size);
+

     /* Attempt to start up a TLS session, and if successful, discard all
     knowledge that was obtained previously. At least, that's what the RFC says,
     and that's what happens by default. However, in order to work round YAEB,
     /* Attempt to start up a TLS session, and if successful, discard all
     knowledge that was obtained previously. At least, that's what the RFC says,
     and that's what happens by default. However, in order to work round YAEB,