Subversion Repositories libspf2

Compare Revisions

Ignore whitespace Rev 37 → Rev 38

/branches/lenny/debian/changelog
1,3 → 1,10
libspf2 (1.2.5.dfsg-5+lenny2) testing-security; urgency=high
 
* 51_actually-keep-track-of-max_var_len.dpatch: Fix possible DoS with
long sender addresses. Thanks to Hannah Schroeter.
 
-- Magnus Holmgren <holmgren@debian.org> Tue, 04 Nov 2008 21:56:56 +0100
 
libspf2 (1.2.5.dfsg-5+lenny1) testing-security; urgency=high
 
* [CVE-2008-2469] 50_dns_resolv_bufoverflow.dpatch: Fix buffer overflows
/branches/lenny/debian/patches/51_actually-keep-track-of-max_var_len.dpatch
0,0 → 1,144
#! /bin/sh /usr/share/dpatch/dpatch-run
## 51_actually-keep-track-of-max_var_len.dpatch by Hannah Schroeter <hannah.schroeter@1und1.de>
##
## DP: actually keep track of max_var_len so SPF_record_expand_data doesn't fail
## DP: and abort the whole program on some cases, e.g. creating the Received-SPF
## DP: header when the envelope from is very long.
##
## src/libspf2/spf_request.c | 50 +++++++++++++++++++++++++++++++++++++++++++-
## 1 files changed, 48 insertions(+), 2 deletions(-)
 
@DPATCH@
diff --git a/src/libspf2/spf_request.c b/src/libspf2/spf_request.c
index 181b0e4..cf6c39b 100644
--- a/src/libspf2/spf_request.c
+++ b/src/libspf2/spf_request.c
@@ -41,6 +41,7 @@ SPF_request_t *
SPF_request_new(SPF_server_t *spf_server)
{
SPF_request_t *sr;
+ const char *rec_dom;
sr = (SPF_request_t *)malloc(sizeof(SPF_request_t));
if (! sr)
@@ -51,6 +52,9 @@ SPF_request_new(SPF_server_t *spf_server)
sr->client_ver = AF_UNSPEC;
sr->ipv4.s_addr = htonl(INADDR_ANY);
sr->ipv6 = in6addr_any;
+ rec_dom = SPF_request_get_rec_dom(sr);
+ if (rec_dom)
+ sr->max_var_len = strlen(rec_dom);
return sr;
}
@@ -116,9 +120,15 @@ SPF_request_set_ipv6_str(SPF_request_t *sr, const char *astr)
SPF_errcode_t
SPF_request_set_helo_dom(SPF_request_t *sr, const char *dom)
{
+ size_t len;
SPF_ASSERT_NOTNULL(dom);
SPF_FREE(sr->helo_dom);
sr->helo_dom = strdup(dom);
+ if (! sr->helo_dom)
+ return SPF_E_NO_MEMORY;
+ len = strlen(dom);
+ if (len > sr->max_var_len)
+ sr->max_var_len = len;
/* set cur_dom and env_from? */
if (sr->env_from == NULL)
return SPF_request_set_env_from(sr, dom);
@@ -130,16 +138,24 @@ SPF_request_set_helo_dom(SPF_request_t *sr, const char *dom)
const char *
SPF_request_get_rec_dom(SPF_request_t *sr)
{
+ char *result;
+ size_t len;
SPF_server_t *spf_server;
spf_server = sr->spf_server;
- return spf_server->rec_dom;
+ result = spf_server->rec_dom;
+ if (result) {
+ len = strlen(result);
+ if (len > sr->max_var_len)
+ sr->max_var_len = len;
+ }
+ return result;
}
int
SPF_request_set_env_from(SPF_request_t *sr, const char *from)
{
char *cp;
- int len;
+ size_t len;
SPF_ASSERT_NOTNULL(from);
SPF_FREE(sr->env_from);
@@ -187,6 +203,10 @@ SPF_request_set_env_from(SPF_request_t *sr, const char *from)
}
}
+ len = strlen(sr->env_from);
+ if (sr->max_var_len < len)
+ sr->max_var_len = len;
+
return 0;
}
@@ -200,8 +220,12 @@ SPF_request_get_client_dom(SPF_request_t *sr)
SPF_ASSERT_NOTNULL(spf_server);
if (sr->client_dom == NULL) {
+ size_t len;
sr->client_dom = SPF_dns_get_client_dom(spf_server->resolver,
sr);
+ len = strlen(sr->client_dom);
+ if (len > sr->max_var_len)
+ sr->max_var_len = len;
}
return sr->client_dom;
}
@@ -225,6 +249,16 @@ SPF_request_is_loopback(SPF_request_t *sr)
static SPF_errcode_t
SPF_request_prepare(SPF_request_t *sr)
{
+ const char *rec_dom;
+ size_t len;
+
+ /* SPF_request_get_rec_dom result could have changed */
+ rec_dom = SPF_request_get_rec_dom(sr);
+ if (rec_dom) {
+ len = strlen(rec_dom);
+ if (len > sr->max_var_len)
+ sr->max_var_len = len;
+ }
if (sr->use_helo)
sr->cur_dom = sr->helo_dom;
else
@@ -241,11 +275,23 @@ SPF_request_query_record(SPF_request_t *spf_request,
SPF_record_t *spf_record,
SPF_errcode_t err)
{
+ const char *rec_dom;
+ size_t len;
+
if (err != SPF_E_SUCCESS) {
if (spf_record)
SPF_record_free(spf_record);
return err;
}
+
+ /* SPF_request_get_rec_dom result could have changed */
+ rec_dom = SPF_request_get_rec_dom(spf_request);
+ if (rec_dom) {
+ len = strlen(rec_dom);
+ if (len > spf_request->max_var_len)
+ spf_request->max_var_len = len;
+ }
+
/* Now, in theory, SPF_response_errors(spf_response) == 0 */
if (SPF_response_errors(spf_response) > 0)
SPF_infof("Warning: %d errors in response, "
--
1.5.6.4
 
/branches/lenny/debian/patches/00list
15,3 → 15,5
42_empty_sender
43_new_explanation_url
50_dns_resolv_bufoverflow
51_actually-keep-track-of-max_var_len
52_compile_bufoverflow