From 14bc9cf085aff7bd5147881e5b7068769a29b026 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 14 Mar 2019 12:26:34 +0000 Subject: [PATCH] Fix crash from SRV lookup hitting a CNAME --- doc/doc-txt/ChangeLog | 4 ++++ src/src/dns.c | 10 +++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 5a42f0e7c..2239d9c16 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -35,6 +35,10 @@ JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part and/or domain. Found and fixed by Jason Betts. +JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid + configuration). If a CNAME target was not a wellformed name pattern, a + crash could result. + Exim version 4.92 ----------------- diff --git a/src/src/dns.c b/src/src/dns.c index dd929d49f..6ef6b7784 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -710,7 +710,11 @@ lookup, which constructs the names itself, so they should be OK. Besides, bitstring labels don't conform to normal name syntax. (But the aren't used any more.) -For SRV records, we omit the initial _smtp._tcp. components at the start. */ +For SRV records, we omit the initial _smtp._tcp. components at the start. +The check has been seen to bite on the destination of a SRV lookup that +initiall hit a CNAME, for which the next name had only two components. +RFC2782 makes no mention of the possibiility of CNAMES, but the Wikipedia +article on SRV says they are not a valid configuration. */ #ifndef STAND_ALONE /* Omit this for stand-alone tests */ @@ -726,8 +730,8 @@ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT) if (type == T_SRV || type == T_TLSA) { - while (*checkname++ != '.'); - while (*checkname++ != '.'); + while (*checkname && *checkname++ != '.') ; + while (*checkname && *checkname++ != '.') ; } if (pcre_exec(regex_check_dns_names, NULL, CCS checkname, Ustrlen(checkname), -- 2.30.2