X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/8ab9474f03559cc0700b85bc8c4c3581275e9f8e..refs/tags/exim-4.97:/src/src/spf.c?ds=sidebyside

diff --git a/src/src/spf.c b/src/src/spf.c
index 100e22243..e72051708 100644
--- a/src/src/spf.c
+++ b/src/src/spf.c
@@ -3,7 +3,7 @@
 *************************************************/
 
 /* SPF support.
-   Copyright (c) The Exim Maintainers 2015 - 2022
+   Copyright (c) The Exim Maintainers 2015 - 2023
    Copyright (c) Tom Kistner <tom@duncanthrax.net> 2004 - 2014
    License: GPL
    SPDX-License-Identifier: GPL-2.0-or-later
@@ -97,7 +97,8 @@ switch (dns_lookup(dnsa, US domain, rr_type, NULL))
     srr.herrno = NETDB_SUCCESS;
     for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
 	 rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
-      if (rr->type == rr_type) { found++; break; }
+      /* Need to alloc space for all records, so no early-out */
+      if (rr->type == rr_type) found++;
     break;
   }
 
@@ -121,6 +122,7 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
     switch(rr_type)
       {
       case T_MX:
+	if (rr->size < 2) continue;
 	s += 2;	/* skip the MX precedence field */
       case T_PTR:
 	{
@@ -136,6 +138,7 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
 	gstring * g = NULL;
 	uschar chunk_len;
 
+	if (rr->size < 1+6) continue;		/* min for version str */
 	if (strncmpic(rr->data+1, US SPF_VER_STR, 6) != 0)
 	  {
 	  HDEBUG(D_host_lookup) debug_printf("not an spf record: %.*s\n",
@@ -143,9 +146,12 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
 	  continue;
 	  }
 
-	for (int off = 0; off < rr->size; off += chunk_len)
+	/* require 1 byte for the chunk_len */
+	for (int off = 0; off < rr->size - 1; off += chunk_len)
 	  {
-	  if (!(chunk_len = s[off++])) break;
+	  if (  !(chunk_len = s[off++])
+	     || rr->size < off + chunk_len	/* ignore bogus size chunks */
+	     ) break;
 	  g = string_catn(g, s+off, chunk_len);
 	  }
 	if (!g)