$authenticated_fail_id variable on authentication failure. Previously
it was unset.
-JH/36 Harder the handling of string-lists. When a list consisted of a sole
+JH/36 Harden the handling of string-lists. When a list consisted of a sole
"<" character, which should be a list-separator specification, we walked
off past the nul-terimation.
AM/01 GnuTLS: repeat lowlevel read and write operations while they return error
codes indicating retry. Under TLS1.3 this becomes required.
+JH/41 Fix the loop reading a message header line to check for integer overflow,
+ and more-often against header_maxsize. Previously a crafted message could
+ induce a crash of the recive process; now the message is cleanly rejected.
+
Exim version 4.91
-----------------
if (ptr >= header_size - 4)
{
int oldsize = header_size;
- /* header_size += 256; */
+
+ if (header_size >= INT_MAX/2)
+ goto OVERSIZE;
header_size *= 2;
+
if (!store_extend(next->text, oldsize, header_size))
next->text = store_newblock(next->text, header_size, ptr);
}
if (message_size >= header_maxsize)
{
+OVERSIZE:
next->text[ptr] = 0;
next->slen = ptr;
next->type = htype_other;
if (nextch == ' ' || nextch == '\t')
{
next->text[ptr++] = nextch;
- message_size++;
+ if (++message_size >= header_maxsize)
+ goto OVERSIZE;
continue; /* Iterate the loop */
}
else if (nextch != EOF) (receive_ungetc)(nextch); /* For next time */