git://git.exim.org
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
transport_pass_socket
[exim.git]
/
src
/
src
/
spam.c
diff --git
a/src/src/spam.c
b/src/src/spam.c
index 1159d36874ff02df9b41ffffc405c836875274c2..f46e11e42391d7005d412b42afa73a87f4db4bb5 100644
(file)
--- a/
src/src/spam.c
+++ b/
src/src/spam.c
@@
-2,8
+2,10
@@
* Exim - an Internet mail transport agent *
*************************************************/
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015 */
-/* License: GPL */
+/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2003 - 2015
+ * License: GPL
+ * Copyright (c) The Exim Maintainers 2016
+ */
/* Code for calling spamassassin's spamd. Called from acl.c. */
/* Code for calling spamassassin's spamd. Called from acl.c. */
@@
-500,8
+502,9
@@
offset = 0;
while ((i = ip_recv(spamd_sock,
spamd_buffer + offset,
sizeof(spamd_buffer) - offset - 1,
while ((i = ip_recv(spamd_sock,
spamd_buffer + offset,
sizeof(spamd_buffer) - offset - 1,
- sd->timeout - time(NULL) + start)) > 0
)
+ sd->timeout - time(NULL) + start)) > 0)
offset += i;
offset += i;
+spamd_buffer[offset] = '\0'; /* guard byte */
/* error handling */
if (i <= 0 && errno != 0)
/* error handling */
if (i <= 0 && errno != 0)
@@
-518,10
+521,12
@@
if (i <= 0 && errno != 0)
if (sd->is_rspamd)
{ /* rspamd variant of reply */
int r;
if (sd->is_rspamd)
{ /* rspamd variant of reply */
int r;
- if ((r = sscanf(CS spamd_buffer,
+ if (
(r = sscanf(CS spamd_buffer,
"RSPAMD/%7s 0 EX_OK\r\nMetric: default; %7s %lf / %lf / %lf\r\n%n",
spamd_version, spamd_short_result, &spamd_score, &spamd_threshold,
"RSPAMD/%7s 0 EX_OK\r\nMetric: default; %7s %lf / %lf / %lf\r\n%n",
spamd_version, spamd_short_result, &spamd_score, &spamd_threshold,
- &spamd_reject_score, &spamd_report_offset)) != 5)
+ &spamd_reject_score, &spamd_report_offset)) != 5
+ || spamd_report_offset >= offset /* verify within buffer */
+ )
{
log_write(0, LOG_MAIN|LOG_PANIC,
"%s cannot parse spamd %s, output: %d", loglabel, callout_address, r);
{
log_write(0, LOG_MAIN|LOG_PANIC,
"%s cannot parse spamd %s, output: %d", loglabel, callout_address, r);