From 05392bbc11cd269cbf23f0f1e39023ba84787cf2 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Sun, 22 May 2016 22:32:43 +0100 Subject: [PATCH] Fix crash in VRFY handling for an unqualified name. Bug 1836 Introduced-by: 4f6ae5c314e5 --- doc/doc-docbook/spec.xfpt | 2 +- doc/doc-txt/ChangeLog | 3 +++ src/src/smtp_in.c | 43 ++++++++++++++++++++++++++---------- test/scripts/0000-Basic/0041 | 2 ++ test/stdout/0041 | 2 ++ 5 files changed, 39 insertions(+), 13 deletions(-) diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt index d625d88b5..42e116182 100644 --- a/doc/doc-docbook/spec.xfpt +++ b/doc/doc-docbook/spec.xfpt @@ -38394,7 +38394,7 @@ form of the name. Log lines and Received-by: header lines will acquire a "utf8" prefix on the protocol element, eg. utf8esmtp. -The following expansion operator can be used: +The following expansion operators can be used: .code ${utf8_domain_to_alabel:str} ${utf8_domain_from_alabel:str} diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index f5e9b8dea..eca1defa8 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -32,6 +32,9 @@ JH/06 Bug 165: hide more cases of password exposure - this time in expansions JH/07 Retire gnutls_require_mac et.al. These were nonfunctional since 4.80 and logged a warning sing 4.83; now they are a configuration file error. +JH/08 Bug 1836: Fix crash in VRFY handling when handed an unqualified name + (lacking @domain). Apply the same qualification processing as RCPT. + Exim version 4.87 ----------------- diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c index d66b59e30..0d509a38d 100644 --- a/src/src/smtp_in.c +++ b/src/src/smtp_in.c @@ -4352,14 +4352,13 @@ while (done <= 0) /* Apply SMTP rewriting then extract the working address. Don't allow "<>" as a recipient address */ - recipient = ((rewrite_existflags & rewrite_smtp) != 0)? - rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"", - global_rewrite_rules) : smtp_cmd_data; + recipient = rewrite_existflags & rewrite_smtp + ? rewrite_one(smtp_cmd_data, rewrite_smtp, NULL, FALSE, US"", + global_rewrite_rules) + : smtp_cmd_data; - /* rfc821_domains = TRUE; << no longer needed */ recipient = parse_extract_address(recipient, &errmess, &start, &end, &recipient_domain, FALSE); - /* rfc821_domains = FALSE; << no longer needed */ if (recipient == NULL) { @@ -4380,7 +4379,6 @@ while (done <= 0) we must always qualify this address, regardless. */ if (recipient_domain == 0) - { if (allow_unqualified_recipient || strcmpic(recipient, US"postmaster") == 0) { @@ -4400,7 +4398,6 @@ while (done <= 0) host_lookup_msg); break; } - } /* Check maximum allowed */ @@ -4586,18 +4583,40 @@ while (done <= 0) HAD(SCH_VRFY); - if(!(address = parse_extract_address(smtp_cmd_data, &errmess, &start, &end, - &recipient_domain, FALSE))) + if (!(address = parse_extract_address(smtp_cmd_data, &errmess, + &start, &end, &recipient_domain, FALSE))) + { smtp_printf("501 %s\r\n", errmess); + break; + } + + if (recipient_domain == 0) + if ( allow_unqualified_recipient + || strcmpic(address, US"postmaster") == 0) + { + DEBUG(D_receive) debug_printf("unqualified address %s accepted\n", + recipient); + recipient_domain = Ustrlen(recipient) + 1; + address = rewrite_address_qualify(address, TRUE); + } + else + { + smtp_printf("501 %s: recipient address must contain a domain\r\n", + smtp_cmd_data); + log_write(L_smtp_syntax_error, + LOG_MAIN|LOG_REJECT, "unqualified verify rejected: <%s> %s%s", + address, host_and_ident(TRUE), host_lookup_msg); + break; + } - else if ((rc = acl_check(ACL_WHERE_VRFY, address, acl_smtp_vrfy, + if ((rc = acl_check(ACL_WHERE_VRFY, address, acl_smtp_vrfy, &user_msg, &log_msg)) != OK) done = smtp_handle_acl_fail(ACL_WHERE_VRFY, rc, user_msg, log_msg); else { - uschar *s = NULL; + uschar * s = NULL; + address_item * addr = deliver_make_addr(address, FALSE); - address_item *addr = deliver_make_addr(address, FALSE); switch(verify_address(addr, NULL, vopt_is_recipient | vopt_qualify, -1, -1, -1, NULL, NULL, NULL)) { diff --git a/test/scripts/0000-Basic/0041 b/test/scripts/0000-Basic/0041 index 3495375cb..0f8cdb3b5 100644 --- a/test/scripts/0000-Basic/0041 +++ b/test/scripts/0000-Basic/0041 @@ -2,6 +2,8 @@ exim -bh 1.1.1.1 vrfy userx@test.ex vrfy hardfail@test.ex +vrfy unqual +vrfy expn postmaster quit **** diff --git a/test/stdout/0041 b/test/stdout/0041 index b88c93ac7..6b22865b0 100644 --- a/test/stdout/0041 +++ b/test/stdout/0041 @@ -6,6 +6,8 @@ 220 the.local.host.name ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 252 Administrative prohibition 599 custom reject +501 unqual: recipient address must contain a domain +501 empty address 550 Administrative prohibition 221 the.local.host.name closing connection -- 2.25.1