DKIM: fix buffer overflow in verify

Caused crash in free() by corrupting malloc metadata.

Reported-by: University of Cambridge
Broken-by: 80a47a2c96

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 22f65c8724f7eb08265d65bd476f6146432daaef..e970b427569dcdc850b1fd2f7c2700e11b743a6e 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -58,6 +58,9 @@ JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as
       was marked defer_ok.  Fix to keep the two timeout-detection methods
       separate.
 
+JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc
+      metadata, resulting in a crash in free().
+
 
 Exim version 4.90
 -----------------

diff --git a/src/src/pdkim/pdkim.c b/src/src/pdkim/pdkim.c
index 186258a621334bc537b73be718d2f87eb3cedf18..62934927d24fc845548a1468678219bcd8500da6 100644 (file)
--- a/src/src/pdkim/pdkim.c
+++ b/src/src/pdkim/pdkim.c
@@ -701,7 +701,7 @@ if (sig->canon_body == PDKIM_CANON_RELAXED)
   if (!relaxed_data)
     {
     BOOL seen_wsp = FALSE;
-    const uschar * p;
+    const uschar * p, * r;
     int q = 0;
 
     /* We want to be able to free this else we allocate
@@ -712,7 +712,7 @@ if (sig->canon_body == PDKIM_CANON_RELAXED)
     relaxed_data = store_malloc(sizeof(blob) + orig_data->len+1);
     relaxed_data->data = US (relaxed_data+1);
 
-    for (p = orig_data->data; *p; p++)
+    for (p = orig_data->data, r = p + orig_data->len; p < r; p++)
       {
       char c = *p;
       if (c == '\r')
@@ -838,6 +838,7 @@ ctx->linebuf_offset = 0;
 
 /* -------------------------------------------------------------------------- */
 /* Call from pdkim_feed below for processing complete body lines */
+/* NOTE: the line is not NUL-terminated; but we have a count */
 
 static void
 pdkim_bodyline_complete(pdkim_ctx * ctx)