SPF: harden against crafted DNS responses

diff --git a/src/src/spf.c b/src/src/spf.c
index ef55520b10041a5d010540aebb5ae528e0260efb..16c840d7195b9ee8181a26de42a2af4fcb198d05 100644 (file)
--- a/src/src/spf.c
+++ b/src/src/spf.c
@@ -122,6 +122,7 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
     switch(rr_type)
       {
       case T_MX:
+       if (rr->size < 2) continue;
        s += 2; /* skip the MX precedence field */
       case T_PTR:
        {
@@ -137,6 +138,7 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
        gstring * g = NULL;
        uschar chunk_len;
 
+       if (rr->size < 1+6) continue;           /* min for version str */
        if (strncmpic(rr->data+1, US SPF_VER_STR, 6) != 0)
          {
          HDEBUG(D_host_lookup) debug_printf("not an spf record: %.*s\n",
@@ -144,9 +146,12 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
          continue;
          }
 
-       for (int off = 0; off < rr->size; off += chunk_len)
+       /* require 1 byte for the chunk_len */
+       for (int off = 0; off < rr->size - 1; off += chunk_len)
          {
-         if (!(chunk_len = s[off++])) break;
+         if (  !(chunk_len = s[off++])
+            || rr->size < off + chunk_len      /* ignore bogus size chunks */
+            ) break;
          g = string_catn(g, s+off, chunk_len);
          }
        if (!g)