From 97229a2119f27f735ba4f02c131aac116ee0d5d5 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 14 Mar 2019 12:26:34 +0000 Subject: [PATCH] Fix crash from SRV lookup hitting a CNAME (cherry picked from commit 14bc9cf085aff7bd5147881e5b7068769a29b026) (cherry picked from commit 09720dd9506176294154dad7152f5f40554046a4) (cherry picked from commit a189eb636256833f3053d8f2fbb95e51dc0f936c) --- doc/doc-txt/ChangeLog | 4 ++++ src/src/dns.c | 10 +++++++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 35d26b3b9..ca123beab 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -32,6 +32,10 @@ JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part and/or domain. Found and fixed by Jason Betts. +JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid + configuration). If a CNAME target was not a wellformed name pattern, a + crash could result. + Exim version 4.92 ----------------- diff --git a/src/src/dns.c b/src/src/dns.c index 0f0b435de..b7978c521 100644 --- a/src/src/dns.c +++ b/src/src/dns.c @@ -716,7 +716,11 @@ lookup, which constructs the names itself, so they should be OK. Besides, bitstring labels don't conform to normal name syntax. (But the aren't used any more.) -For SRV records, we omit the initial _smtp._tcp. components at the start. */ +For SRV records, we omit the initial _smtp._tcp. components at the start. +The check has been seen to bite on the destination of a SRV lookup that +initiall hit a CNAME, for which the next name had only two components. +RFC2782 makes no mention of the possibiility of CNAMES, but the Wikipedia +article on SRV says they are not a valid configuration. */ #ifndef STAND_ALONE /* Omit this for stand-alone tests */ @@ -732,8 +736,8 @@ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT) if (type == T_SRV || type == T_TLSA) { - while (*checkname++ != '.'); - while (*checkname++ != '.'); + while (*checkname && *checkname++ != '.') ; + while (*checkname && *checkname++ != '.') ; } if (pcre_exec(regex_check_dns_names, NULL, CCS checkname, Ustrlen(checkname), -- 2.30.2