Track tainted data and refuse to expand it

[exim.git] / src / src / routers / iplookup.c

diff --git a/src/src/routers/iplookup.c b/src/src/routers/iplookup.c
index ff67af38dd8b512832ee8c1aca559829533e3379..4ceb1f59a2fa08158dd02bfcce4a479a42dc1d61 100644 (file)
--- a/src/src/routers/iplookup.c
+++ b/src/src/routers/iplookup.c
@@ -160,7 +160,7 @@ uschar *reply;
 uschar *hostname, *reroute, *domain;
 const uschar *listptr;
 uschar host_buffer[256];
-host_item *host = store_get(sizeof(host_item));
+host_item *host = store_get(sizeof(host_item), FALSE);
 address_item *new_addr;
 iplookup_router_options_block *ob =
   (iplookup_router_options_block *)(rblock->options_block);
@@ -176,7 +176,7 @@ pw = pw;
 DEBUG(D_route) debug_printf("%s router called for %s: domain = %s\n",
   rblock->name, addr->address, addr->domain);
 
-reply = store_get(256);
+reply = store_get(256, TRUE);  /* tainted data */
 
 /* Build the query string to send. If not explicitly given, a default of
 "user@domain user@domain" is used. */
@@ -279,7 +279,7 @@ while ((hostname = string_nextinlist(&listptr, &sep, host_buffer,
     /* Read the response and close the socket. If the read fails, try the
     next IP address. */
 
-    count = ip_recv(&query_cctx, reply, sizeof(reply) - 1, ob->timeout);
+    count = ip_recv(&query_cctx, reply, sizeof(reply) - 1, time(NULL) + ob->timeout);
     (void)close(query_cctx.sock);
     if (count <= 0)
       {