Defend against symlink attack by another process running as exim

[exim.git] / src / src / mime.c

diff --git a/src/src/mime.c b/src/src/mime.c
index 6a64b26b1f8f6e8a17ff645029f0740130726a45..c924f2bc3219532bdf6ae5df56f91a72fe8578d9 100644 (file)
--- a/src/src/mime.c
+++ b/src/src/mime.c
@@ -2,8 +2,10 @@
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
-/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004, 2015 */
-/* License: GPL */
+/* Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004, 2015
+ * License: GPL
+ * Copyright (c) The Exim Maintainers 2016
+ */
 
 #include "exim.h"
 #ifdef WITH_CONTENT_SCAN       /* entire file */
@@ -190,13 +192,11 @@ static FILE *
 mime_get_decode_file(uschar *pname, uschar *fname)
 {
 FILE *f = NULL;
-uschar *filename;
-
-filename = (uschar *)malloc(2048);
+uschar *filename = NULL;
 
 if (pname && fname)
   {
-  (void)string_format(filename, 2048, "%s/%s", pname, fname);
+  filename = string_sprintf("%s/%s", pname, fname);
   f = modefopen(filename,"wb+",SPOOL_MODE);
   }
 else if (!pname)
@@ -210,8 +210,7 @@ else if (!fname)
   do
     {
     struct stat mystat;
-    (void)string_format(filename, 2048,
-      "%s/%s-%05u", pname, message_id, file_nr++);
+    filename = string_sprintf("%s/%s-%05u", pname, message_id, file_nr++);
     /* security break */
     if (file_nr >= 1024)
       break;
@@ -222,6 +221,7 @@ else if (!fname)
   }
 
 /* set expansion variable */
+/*XXX ? not set if !pname ? */
 mime_decoded_filename = filename;
 
 return f;
@@ -304,7 +304,8 @@ decode_function =
 size_counter = decode_function(mime_stream, decode_file, mime_current_boundary);
 
 clearerr(mime_stream);
-fseek(mime_stream, f_pos, SEEK_SET);
+if (fseek(mime_stream, f_pos, SEEK_SET))
+  return DEFER;
 
 if (fclose(decode_file) != 0 || size_counter < 0)
   return DEFER;
@@ -462,11 +463,11 @@ while (*s && *s != ';')           /* ; terminates */
     {
     s++;                       /* skip opening " */
     while (*s && *s != '"')    /* " protects ; */
-      val = string_cat(val, &size, &ptr, s++, 1);
+      val = string_catn(val, &size, &ptr, s++, 1);
     if (*s) s++;               /* skip closing " */
     }
   else
-    val = string_cat(val, &size, &ptr, s++, 1);
+    val = string_catn(val, &size, &ptr, s++, 1);
 if (val) val[ptr] = '\0';
 *sp = s;
 return val;
@@ -493,24 +494,24 @@ static uschar *
 rfc2231_to_2047(const uschar * fname, const uschar * charset, int * len)
 {
 int size = 0, ptr = 0;
-uschar * val = string_cat(NULL, &size, &ptr, US"=?", 2);
+uschar * val = string_catn(NULL, &size, &ptr, US"=?", 2);
 uschar c;
 
 if (charset)
-  val = string_cat(val, &size, &ptr, charset, Ustrlen(charset));
-val = string_cat(val, &size, &ptr, US"?Q?", 3);
+  val = string_cat(val, &size, &ptr, charset);
+val = string_catn(val, &size, &ptr, US"?Q?", 3);
 
 while ((c = *fname))
   if (c == '%' && isxdigit(fname[1]) && isxdigit(fname[2]))
     {
-    val = string_cat(val, &size, &ptr, US"=", 1);
-    val = string_cat(val, &size, &ptr, ++fname, 2);
+    val = string_catn(val, &size, &ptr, US"=", 1);
+    val = string_catn(val, &size, &ptr, ++fname, 2);
     fname += 2;
     }
   else
-    val = string_cat(val, &size, &ptr, fname++, 1);
+    val = string_catn(val, &size, &ptr, fname++, 1);
 
-val = string_cat(val, &size, &ptr, US"?=", 2);
+val = string_catn(val, &size, &ptr, US"?=", 2);
 val[*len = ptr] = '\0';
 return val;
 }