summaryrefslogtreecommitdiffstats
path: root/debian/patches/75_07-Fix-crash-from-SRV-lookup-hitting-a-CNAME.patch
blob: cfdbe514b9fc06ec931c846260eefffc51b8c735 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
From 09720dd9506176294154dad7152f5f40554046a4 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Thu, 14 Mar 2019 12:26:34 +0000
Subject: [PATCH 3/5] Fix crash from SRV lookup hitting a CNAME

(cherry picked from commit 14bc9cf085aff7bd5147881e5b7068769a29b026)
---
 doc/ChangeLog |  4 ++++
 src/dns.c         | 10 +++++++---
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/doc/ChangeLog b/doc/ChangeLog
index 419c1061..0f8d05b2 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -19,10 +19,14 @@ JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under
       suitably configured).
 
 JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part
       and/or domain.  Found and fixed by Jason Betts.
 
+JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid
+      configuration).  If a CNAME target was not a wellformed name pattern, a
+      crash could result.
+
 
 Exim version 4.92
 -----------------
 
 JH/01 Remove code calling the customisable local_scan function, unless a new
diff --git a/src/dns.c b/src/dns.c
index 0f0b435d..b7978c52 100644
--- a/src/dns.c
+++ b/src/dns.c
@@ -714,11 +714,15 @@ regex has substrings that are used - the default uses a conditional.
 This test is omitted for PTR records. These occur only in calls from the dnsdb
 lookup, which constructs the names itself, so they should be OK. Besides,
 bitstring labels don't conform to normal name syntax. (But the aren't used any
 more.)
 
-For SRV records, we omit the initial _smtp._tcp. components at the start. */
+For SRV records, we omit the initial _smtp._tcp. components at the start.
+The check has been seen to bite on the destination of a SRV lookup that
+initiall hit a CNAME, for which the next name had only two components.
+RFC2782 makes no mention of the possibiility of CNAMES, but the Wikipedia
+article on SRV says they are not a valid configuration. */
 
 #ifndef STAND_ALONE   /* Omit this for stand-alone tests */
 
 if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT)
   {
@@ -730,12 +734,12 @@ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT)
   /* For an SRV lookup, skip over the first two components (the service and
   protocol names, which both start with an underscore). */
 
   if (type == T_SRV || type == T_TLSA)
     {
-    while (*checkname++ != '.');
-    while (*checkname++ != '.');
+    while (*checkname && *checkname++ != '.') ;
+    while (*checkname && *checkname++ != '.') ;
     }
 
   if (pcre_exec(regex_check_dns_names, NULL, CCS checkname, Ustrlen(checkname),
       0, PCRE_EOPT, ovector, nelem(ovector)) < 0)
     {
-- 
2.20.1