From: Jeremy Harris Date: Wed, 7 Feb 2018 23:09:55 +0000 (+0000) Subject: DKIM: fix buffer overflow in verify X-Git-Tag: exim-4_90_1~4 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/e5fc5d4ba779be4c57bd08ad2da70b6e1a85a549 DKIM: fix buffer overflow in verify Caused crash in free() by corrupting malloc metadata. Reported-by: University of Cambridge Broken-by: 80a47a2c96 --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 22f65c872..e970b4275 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -58,6 +58,9 @@ JH/14 Bug 2174: A timeout on connect for a callout was also erroneously seen as was marked defer_ok. Fix to keep the two timeout-detection methods separate. +JH/16 Fix bug in DKIM verify: a buffer overflow could corrupt the malloc + metadata, resulting in a crash in free(). + Exim version 4.90 ----------------- diff --git a/src/src/pdkim/pdkim.c b/src/src/pdkim/pdkim.c index 186258a62..62934927d 100644 --- a/src/src/pdkim/pdkim.c +++ b/src/src/pdkim/pdkim.c @@ -701,7 +701,7 @@ if (sig->canon_body == PDKIM_CANON_RELAXED) if (!relaxed_data) { BOOL seen_wsp = FALSE; - const uschar * p; + const uschar * p, * r; int q = 0; /* We want to be able to free this else we allocate @@ -712,7 +712,7 @@ if (sig->canon_body == PDKIM_CANON_RELAXED) relaxed_data = store_malloc(sizeof(blob) + orig_data->len+1); relaxed_data->data = US (relaxed_data+1); - for (p = orig_data->data; *p; p++) + for (p = orig_data->data, r = p + orig_data->len; p < r; p++) { char c = *p; if (c == '\r') @@ -838,6 +838,7 @@ ctx->linebuf_offset = 0; /* -------------------------------------------------------------------------- */ /* Call from pdkim_feed below for processing complete body lines */ +/* NOTE: the line is not NUL-terminated; but we have a count */ static void pdkim_bodyline_complete(pdkim_ctx * ctx)