From 4362ff0d4b2a9feee34a595feee087d47faeb447 Mon Sep 17 00:00:00 2001 From: Philip Hazel Date: Tue, 2 Jan 2007 11:25:00 +0000 Subject: [PATCH] Panic-die if a system filter or router generates more then 32767 child addresses. --- doc/doc-txt/ChangeLog | 9 ++++++++- src/src/deliver.c | 5 ++++- src/src/exim.h | 10 +++++++++- src/src/routers/iplookup.c | 5 ++++- src/src/routers/queryprogram.c | 5 ++++- src/src/routers/redirect.c | 5 ++++- 6 files changed, 33 insertions(+), 6 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 8c606107d..fbe0549c8 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.449 2006/12/24 12:12:05 magnus Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.450 2007/01/02 11:25:00 ph10 Exp $ Change log file for Exim from version 4.21 ------------------------------------------- @@ -14,6 +14,13 @@ MH/01 Don't check that the operands of numeric comparison operators are integers when their expansion is in "skipping" mode (fixes bug introduced by 4.64-PH/07). +PH/01 If a system filter or a router generates more than SHRT_MAX (32767) + child addresses, Exim now panics and dies. Previously, because the count + is held in a short int, deliveries were likely to be lost. As such a + large number of recipients for a single message is ridiculous + (performance will be very, very poor), I have chosen to impose a limit + rather than extend the field. + Exim version 4.64 ----------------- diff --git a/src/src/deliver.c b/src/src/deliver.c index 02552317a..6154085ed 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/deliver.c,v 1.38 2006/11/06 15:50:12 ph10 Exp $ */ +/* $Cambridge: exim/src/src/deliver.c,v 1.39 2007/01/02 11:25:00 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -4941,6 +4941,9 @@ else if (system_filter != NULL && process_recipients != RECIP_FAIL_TIMEOUT) while (p != NULL) { + if (parent->child_count == SHRT_MAX) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "system filter generated more " + "than %d delivery addresses", SHRT_MAX); parent->child_count++; p->parent = parent; diff --git a/src/src/exim.h b/src/src/exim.h index 591434312..9882ab348 100644 --- a/src/src/exim.h +++ b/src/src/exim.h @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/exim.h,v 1.19 2006/02/07 11:19:00 ph10 Exp $ */ +/* $Cambridge: exim/src/src/exim.h,v 1.20 2007/01/02 11:25:00 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -75,6 +75,14 @@ making unique names. */ #define INT_MAX 2147483647 #endif +#ifndef INT_MIN +#define INT_MIN (-INT_MAX - 1) +#endif + +#ifndef SHRT_MAX +#define SHRT_MAX 32767 +#endif + #ifndef UCHAR_MAX #define UCHAR_MAX 255 #endif diff --git a/src/src/routers/iplookup.c b/src/src/routers/iplookup.c index 069c0dda1..a0afa9d0a 100644 --- a/src/src/routers/iplookup.c +++ b/src/src/routers/iplookup.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/routers/iplookup.c,v 1.8 2006/10/09 14:36:25 ph10 Exp $ */ +/* $Cambridge: exim/src/src/routers/iplookup.c,v 1.9 2007/01/02 11:25:00 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -378,6 +378,9 @@ new_addr->parent = addr; copyflag(new_addr, addr, af_propagate); new_addr->p = addr->p; +if (addr->child_count == SHRT_MAX) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s router generated more than %d " + "child addresses for <%s>", rblock->name, SHRT_MAX, addr->address); addr->child_count++; new_addr->next = *addr_new; *addr_new = new_addr; diff --git a/src/src/routers/queryprogram.c b/src/src/routers/queryprogram.c index 1b974fc4e..ef3ae8e28 100644 --- a/src/src/routers/queryprogram.c +++ b/src/src/routers/queryprogram.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/routers/queryprogram.c,v 1.8 2006/02/07 14:05:17 ph10 Exp $ */ +/* $Cambridge: exim/src/src/routers/queryprogram.c,v 1.9 2007/01/02 11:25:00 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -122,6 +122,9 @@ while (generated != NULL) next->next = *addr_new; *addr_new = next; + if (addr->child_count == SHRT_MAX) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s router generated more than %d " + "child addresses for <%s>", rblock->name, SHRT_MAX, addr->address); addr->child_count++; DEBUG(D_route) diff --git a/src/src/routers/redirect.c b/src/src/routers/redirect.c index e22699216..2c515d8fa 100644 --- a/src/src/routers/redirect.c +++ b/src/src/routers/redirect.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/routers/redirect.c,v 1.18 2006/11/20 11:43:40 ph10 Exp $ */ +/* $Cambridge: exim/src/src/routers/redirect.c,v 1.19 2007/01/02 11:25:00 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -334,6 +334,9 @@ while (generated != NULL) next->parent = addr; orflag(next, addr, af_ignore_error); next->start_router = rblock->redirect_router; + if (addr->child_count == SHRT_MAX) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "%s router generated more than %d " + "child addresses for <%s>", rblock->name, SHRT_MAX, addr->address); addr->child_count++; next->next = *addr_new; -- 2.25.1