X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/35916b2f03491ce505f69b15096bfd8d00e08286..90bd3832bc0ff090ac5e37dfc66b30cabb9cfc1a:/src/src/spf.c

diff --git a/src/src/spf.c b/src/src/spf.c
index ef55520b1..cc36463e4 100644
--- a/src/src/spf.c
+++ b/src/src/spf.c
@@ -3,7 +3,7 @@
 *************************************************/
 
 /* SPF support.
-   Copyright (c) The Exim Maintainers 2015 - 2022
+   Copyright (c) The Exim Maintainers 2015 - 2023
    Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
    License: GPL
    SPDX-License-Identifier: GPL-2.0-or-later
@@ -122,6 +122,7 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
     switch(rr_type)
       {
       case T_MX:
+	if (rr->size < 2) continue;
 	s += 2;	/* skip the MX precedence field */
       case T_PTR:
 	{
@@ -137,6 +138,7 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
 	gstring * g = NULL;
 	uschar chunk_len;
 
+	if (rr->size < 1+6) continue;		/* min for version str */
 	if (strncmpic(rr->data+1, US SPF_VER_STR, 6) != 0)
 	  {
 	  HDEBUG(D_host_lookup) debug_printf("not an spf record: %.*s\n",
@@ -144,9 +146,12 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
 	  continue;
 	  }
 
-	for (int off = 0; off < rr->size; off += chunk_len)
+	/* require 1 byte for the chunk_len */
+	for (int off = 0; off < rr->size - 1; off += chunk_len)
 	  {
-	  if (!(chunk_len = s[off++])) break;
+	  if (  !(chunk_len = s[off++])
+	     || rr->size < off + chunk_len	/* ignore bogus size chunks */
+	     ) break;
 	  g = string_catn(g, s+off, chunk_len);
 	  }
 	if (!g)
@@ -248,10 +253,13 @@ if (!(spf_server = SPF_server_new_dns(dc, debug)))
   DEBUG(D_receive) debug_printf("spf: SPF_server_new() failed.\n");
   return FALSE;
   }
-  /* Override the outdated explanation URL.
-  See https://www.mail-archive.com/mailop@mailop.org/msg08019.html
-  Used to work as "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}",
-  but is broken now (May 18th, 2020) */
+
+/* Override the outdated explanation URL.
+See https://www.mail-archive.com/mailop@mailop.org/msg08019.html
+Used to work as "Please%_see%_http://www.open-spf.org/Why?id=%{S}&ip=%{C}&receiver=%{R}",
+but is broken now (May 18th, 2020) */
+
+GET_OPTION("spf_smtp_comment_template");
 if (!(s = expand_string(spf_smtp_comment_template)))
   log_write(0, LOG_MAIN|LOG_PANIC_DIE, "expansion of spf_smtp_comment_template failed");
 
@@ -336,7 +344,8 @@ else for (int i = 0; i < SPF_response_messages(spf_response); i++)
 Return: OK/FAIL  */
 
 int
-spf_process(const uschar **listptr, uschar *spf_envelope_sender, int action)
+spf_process(const uschar ** listptr, const uschar * spf_envelope_sender,
+  int action)
 {
 int sep = 0;
 const uschar *list = *listptr;