From: Jeremy Harris Date: Thu, 10 Jan 2019 21:15:11 +0000 (+0000) Subject: More checks on header line length during reception X-Git-Tag: exim-4.92-RC5~5 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/56ac062a3ff94fc4e1bbfc2293119c079a4e980b?hp=fcb900d84cc71cb169bd1b223920de1026772695 More checks on header line length during reception --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index a3de86432..e2dd71b2b 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -187,6 +187,10 @@ JH/40 Fix the feature-cache refresh for EXPERIMENTAL_PIPE_CONNECT. Previously it only wrote the new authenticators, resulting in a lack of tracking of peer changes of ESMTP extensions until the next cache flush. +JH/41 Fix the loop reading a message header line to check for integer overflow, + and more-often against header_maxsize. Previously a crafted message could + induce a crash of the recive process; now the message is cleanly rejected. + Exim version 4.91 ----------------- diff --git a/src/src/receive.c b/src/src/receive.c index 6d54ad33c..a0467e8c8 100644 --- a/src/src/receive.c +++ b/src/src/receive.c @@ -1827,8 +1827,11 @@ for (;;) if (ptr >= header_size - 4) { int oldsize = header_size; - /* header_size += 256; */ + + if (header_size >= INT_MAX/2) + goto OVERSIZE; header_size *= 2; + if (!store_extend(next->text, oldsize, header_size)) next->text = store_newblock(next->text, header_size, ptr); } @@ -1934,6 +1937,7 @@ for (;;) if (message_size >= header_maxsize) { +OVERSIZE: next->text[ptr] = 0; next->slen = ptr; next->type = htype_other; @@ -2005,7 +2009,8 @@ for (;;) if (nextch == ' ' || nextch == '\t') { next->text[ptr++] = nextch; - message_size++; + if (++message_size >= header_maxsize) + goto OVERSIZE; continue; /* Iterate the loop */ } else if (nextch != EOF) (receive_ungetc)(nextch); /* For next time */