X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/52f12a7cec769b679305bb9ba23534dfd155d46a..9fa4d5b45f70b36a46c0d04381a5e05cb39ae3e9:/src/src/dkim.c diff --git a/src/src/dkim.c b/src/src/dkim.c index 5209cd983..dd999ff5b 100644 --- a/src/src/dkim.c +++ b/src/src/dkim.c @@ -43,9 +43,12 @@ static const uschar * dkim_collect_error = NULL; uschar * dkim_exim_query_dns_txt(uschar * name) { +/*XXX need to always alloc the dnsa, from tainted mem. +Then, we hope, the answers will be tainted */ + dns_answer dnsa; dns_scan dnss; -dns_record *rr; +rmark reset_point = store_mark(); gstring * g = NULL; lookup_dnssec_authenticated = NULL; @@ -54,7 +57,7 @@ if (dns_lookup(&dnsa, name, T_TXT, NULL) != DNS_SUCCEED) /* Search for TXT record */ -for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); +for (dns_record * rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); rr; rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT)) if (rr->type == T_TXT) @@ -77,7 +80,7 @@ for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); /* check if this looks like a DKIM record */ if (Ustrncmp(g->s, "v=", 2) != 0 || strncasecmp(CS g->s, "v=dkim", 6) == 0) { - gstring_reset_unused(g); + gstring_release_unused(g); return string_from_gstring(g); } @@ -85,7 +88,7 @@ for (rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS); } bad: -if (g) store_reset(g); +store_reset(reset_point); return NULL; /*XXX better error detail? logging? */ } @@ -280,15 +283,14 @@ return; void dkim_exim_verify_log_all(void) { -pdkim_signature * sig; -for (sig = dkim_signatures; sig; sig = sig->next) dkim_exim_verify_log_sig(sig); +for (pdkim_signature * sig = dkim_signatures; sig; sig = sig->next) + dkim_exim_verify_log_sig(sig); } void dkim_exim_verify_finish(void) { -pdkim_signature * sig; int rc; gstring * g = NULL; const uschar * errstr = NULL; @@ -320,7 +322,7 @@ if (rc != PDKIM_OK && errstr) /* Build a colon-separated list of signing domains (and identities, if present) in dkim_signers */ -for (sig = dkim_signatures; sig; sig = sig->next) +for (pdkim_signature * sig = dkim_signatures; sig; sig = sig->next) { if (sig->domain) g = string_append_listele(g, ':', sig->domain); if (sig->identity) g = string_append_listele(g, ':', sig->identity); @@ -372,7 +374,6 @@ int dkim_exim_acl_run(uschar * id, gstring ** res_ptr, uschar ** user_msgptr, uschar ** log_msgptr) { -pdkim_signature * sig; uschar * cmp_val; int rc = -1; @@ -385,7 +386,7 @@ if (f.dkim_disable_verify || !id || !dkim_verify_ctx) /* Find signatures to run ACL on */ -for (sig = dkim_signatures; sig; sig = sig->next) +for (pdkim_signature * sig = dkim_signatures; sig; sig = sig->next) if ( (cmp_val = Ustrchr(id, '@') != NULL ? US sig->identity : US sig->domain) && strcmpic(cmp_val, id) == 0 ) @@ -623,6 +624,7 @@ if (dkim_domain) /* Only sign once for each domain, no matter how often it appears in the expanded list. */ + dkim_signing_domain = string_copylc(dkim_signing_domain); if (match_isinlist(dkim_signing_domain, CUSS &seen_doms, 0, NULL, NULL, MCL_STRING, TRUE, NULL) == OK) continue; @@ -782,14 +784,15 @@ CLEANUP: pk_bad: log_write(0, LOG_MAIN|LOG_PANIC, - "DKIM: signing failed: %.100s", pdkim_errstr(pdkim_rc)); + "DKIM: signing failed: %.100s", pdkim_errstr(pdkim_rc)); bad: sigbuf = NULL; goto CLEANUP; expand_bad: - log_write(0, LOG_MAIN | LOG_PANIC, "failed to expand %s: %s", - errwhen, expand_string_message); + *errstr = string_sprintf("failed to expand %s: %s", + errwhen, expand_string_message); + log_write(0, LOG_MAIN | LOG_PANIC, "%s", *errstr); goto bad; } @@ -799,12 +802,11 @@ expand_bad: gstring * authres_dkim(gstring * g) { -pdkim_signature * sig; int start = 0; /* compiler quietening */ DEBUG(D_acl) start = g->ptr; -for (sig = dkim_signatures; sig; sig = sig->next) +for (pdkim_signature * sig = dkim_signatures; sig; sig = sig->next) { g = string_catn(g, US";\n\tdkim=", 8);