From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Sat, 10 Aug 2019 16:56:30 +0000 (+0100)
Subject: DKIM: use tainted mem for dns lookup
X-Git-Tag: exim-4.93-RC0~108
X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/362e4161e252f96a7b529d52f650ddc88d1cc9f7

DKIM: use tainted mem for dns lookup
---

diff --git a/src/src/dkim.c b/src/src/dkim.c
index 8bb2efbf0..5883596a7 100644
--- a/src/src/dkim.c
+++ b/src/src/dkim.c
@@ -37,29 +37,28 @@ static const uschar * dkim_collect_error = NULL;
 
 
 
-/*XXX the caller only uses the first record if we return multiple.
+/* Look up the DKIM record in DNS for the given hostname.
+Will use the first found if there are multiple.
+The return string is tainted, having come from off-site.
 */
 
 uschar *
 dkim_exim_query_dns_txt(const uschar * name)
 {
-/*XXX need to always alloc the dnsa, from tainted mem.
-Then, we hope, the answers will be tainted */
-
-dns_answer dnsa;
+dns_answer * dnsa = store_get(sizeof(dns_answer), TRUE);	/* use tainted mem */
 dns_scan dnss;
 rmark reset_point = store_mark();
 gstring * g = NULL;
 
 lookup_dnssec_authenticated = NULL;
-if (dns_lookup(&dnsa, name, T_TXT, NULL) != DNS_SUCCEED)
+if (dns_lookup(dnsa, name, T_TXT, NULL) != DNS_SUCCEED)
   return NULL;	/*XXX better error detail?  logging? */
 
 /* Search for TXT record */
 
-for (dns_record * rr = dns_next_rr(&dnsa, &dnss, RESET_ANSWERS);
+for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS);
      rr;
-     rr = dns_next_rr(&dnsa, &dnss, RESET_NEXT))
+     rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
   if (rr->type == T_TXT)
     {
     int rr_offset = 0;