diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2019-12-12 23:43:10 +0000 |
|---|---|---|
| committer | Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de> | 2019-12-13 10:59:41 +0100 |
| commit | 2529a7a64df7aa824d453c6419af07825409e519 (patch) | |
| tree | 56c37ac6ef1ac7ded17bd78913dfd10184d9dbb3 | |
| parent | 92a158a6b870886fef89ecc084e6e745f91060e7 (diff) | |
| download | exim4-2529a7a64df7aa824d453c6419af07825409e519.tar.gz | |
Fix taint issue with retry records. Bug 2492exim-4.93.0.3
(cherry picked from commit 5fae29d5b430d6a5f58c6c02cdefbbf307e258a9)
| -rw-r--r-- | doc/doc-txt/ChangeLog | 4 | ||||
| -rw-r--r-- | src/src/retry.c | 25 |
2 files changed, 18 insertions, 11 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index da0578a34..b231a3f75 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -22,6 +22,10 @@ JH/08 Bug 2491: Use tainted buffers for the transport smtp context. Previously JH/09 Bug 2493: Harden ARC verify against Outlook, whick has been seen to mix the ordering of its ARC headers. This caused a crash. +JH/10 Bug 2492: Use tainted memory for retry record when needed. Previously when + a new record was being constructed with information from the peer, a trap + was taken. + Exim version 4.93 ----------------- diff --git a/src/src/retry.c b/src/src/retry.c index d068f547d..175da216e 100644 --- a/src/src/retry.c +++ b/src/src/retry.c @@ -659,7 +659,8 @@ for (int i = 0; i < 3; i++) /* Read a retry record from the database or construct a new one. Ignore an old one if it is too old since it was last updated. */ - retry_record = dbfn_read(dbm_file, rti->key); + retry_record = dbfn_read_with_length(dbm_file, rti->key, + &message_space); if ( retry_record && now - retry_record->time_stamp > retry_data_expire) retry_record = NULL; @@ -675,7 +676,7 @@ for (int i = 0; i < 3; i++) retry_record->expired = FALSE; retry_record->text[0] = 0; /* just in case */ } - else message_space = Ustrlen(retry_record->text); + else message_space -= sizeof(dbdata_retry); /* Compute how long this destination has been failing */ @@ -806,15 +807,17 @@ for (int i = 0; i < 3; i++) if (next_try - now > retry_interval_max) next_try = now + retry_interval_max; - /* If the new message length is greater than the previous one, we - have to copy the record first. */ - - if (message_length > message_space) - { - dbdata_retry *newr = store_get(sizeof(dbdata_retry) + message_length, FALSE); - memcpy(newr, retry_record, sizeof(dbdata_retry)); - retry_record = newr; - } + /* If the new message length is greater than the previous one, we have + to copy the record first. If we're using an old one, the read used + tainted memory so we're ok to write into it. */ + + if (message_length > message_space) + { + dbdata_retry * newr = + store_get(sizeof(dbdata_retry) + message_length, is_tainted(message)); + memcpy(newr, retry_record, sizeof(dbdata_retry)); + retry_record = newr; + } /* Set up the retry record; message_length may be less than the string length for very long error strings. */ |