X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/4e48d56c083d2f763a5978e1dbf515b12dc12f96..d6c829b9a350f61c98196768e3260beb3cbecbfe:/src/src/smtp_out.c diff --git a/src/src/smtp_out.c b/src/src/smtp_out.c index c1cf901dc..ece79de10 100644 --- a/src/src/smtp_out.c +++ b/src/src/smtp_out.c @@ -52,6 +52,17 @@ if (!(expint = expand_string(istring))) return FALSE; } +if (is_tainted(expint)) + { + log_write(0, LOG_MAIN|LOG_PANIC, + "attempt to use tainted value '%s' from '%s' for interface", + expint, istring); + addr->transport_return = PANIC; + addr->message = string_sprintf("failed to expand \"interface\" " + "option for %s: configuration error", msg); + return FALSE; + } + while (isspace(*expint)) expint++; if (*expint == 0) return TRUE; @@ -296,7 +307,7 @@ if (save_errno != 0) { HDEBUG(D_transport|D_acl|D_v) { - debug_printf_indent("failed: %s", CUstrerror(save_errno)); + debug_printf_indent(" failed: %s", CUstrerror(save_errno)); if (save_errno == ETIMEDOUT) debug_printf(" (timeout=%s)", readconf_printtime(timeout)); debug_printf("\n"); @@ -313,7 +324,7 @@ else union sockaddr_46 interface_sock; EXIM_SOCKLEN_T size = sizeof(interface_sock); - HDEBUG(D_transport|D_acl|D_v) debug_printf_indent("connected\n"); + HDEBUG(D_transport|D_acl|D_v) debug_printf_indent(" connected\n"); if (getsockname(sock, (struct sockaddr *)(&interface_sock), &size) == 0) sending_ip_address = host_ntoa(-1, &interface_sock, NULL, &sending_port); else @@ -521,8 +532,14 @@ if (format) gstring gs = { .size = big_buffer_size, .ptr = 0, .s = big_buffer }; va_list ap; + /* Use taint-unchecked routines for writing into big_buffer, trusting that + we'll never expand the results. Actually, the error-message use - leaving + the results in big_buffer for potential later use - is uncomfortably distant. + XXX Would be better to assume all smtp commands are short, use normal pool + alloc rather than big_buffer, and another global for the data-for-error. */ + va_start(ap, format); - if (!string_vformat(&gs, FALSE, CS format, ap)) + if (!string_vformat(&gs, SVFMT_TAINT_NOCHK, CS format, ap)) log_write(0, LOG_MAIN|LOG_PANIC_DIE, "overlong write_command in outgoing " "SMTP"); va_end(ap); @@ -538,7 +555,7 @@ if (format) if (!flush_buffer(outblock, SCMD_FLUSH)) return -1; } - Ustrncpy(CS outblock->ptr, gs.s, gs.ptr); + Ustrncpy(outblock->ptr, gs.s, gs.ptr); outblock->ptr += gs.ptr; outblock->cmd_count++; gs.ptr -= 2; string_from_gstring(&gs); /* remove \r\n for error message */ @@ -589,14 +606,14 @@ Arguments: inblock the SMTP input block (contains holding buffer, socket, etc.) buffer where to put the line size space available for the line - timeout the timeout to use when reading a packet + timelimit deadline for reading the lime, seconds past epoch Returns: length of a line that has been put in the buffer -1 otherwise, with errno set */ static int -read_response_line(smtp_inblock *inblock, uschar *buffer, int size, int timeout) +read_response_line(smtp_inblock *inblock, uschar *buffer, int size, time_t timelimit) { uschar *p = buffer; uschar *ptr = inblock->ptr; @@ -639,7 +656,7 @@ for (;;) /* Need to read a new input packet. */ - if((rc = ip_recv(cctx, inblock->buffer, inblock->buffersize, timeout)) <= 0) + if((rc = ip_recv(cctx, inblock->buffer, inblock->buffersize, timelimit)) <= 0) { DEBUG(D_deliver|D_transport|D_acl|D_v) debug_printf_indent(errno ? " SMTP(%s)<<\n" : " SMTP(closed)<<\n", @@ -696,6 +713,7 @@ smtp_read_response(void * sx0, uschar * buffer, int size, int okdigit, smtp_context * sx = sx0; uschar * ptr = buffer; int count = 0; +time_t timelimit = time(NULL) + timeout; errno = 0; /* Ensure errno starts out zero */ @@ -718,7 +736,7 @@ response. */ for (;;) { - if ((count = read_response_line(&sx->inblock, ptr, size, timeout)) < 0) + if ((count = read_response_line(&sx->inblock, ptr, size, timelimit)) < 0) return FALSE; HDEBUG(D_transport|D_acl|D_v)