From b975ba52a239bbf56b61a8af88d480bf07c20d81 Mon Sep 17 00:00:00 2001 From: Philip Hazel Date: Wed, 29 Dec 2004 10:16:52 +0000 Subject: [PATCH] The host_aton() buffer overflow: (1) Put a check in host_aton() itself; (2) noted that the exploit via dnsdb/ptr lookup was already fortuitously fixed by a previous change. --- doc/doc-txt/ChangeLog | 14 +++++++++++--- doc/doc-txt/NewStuff | 8 ++++---- src/src/host.c | 10 ++++++++-- 3 files changed, 23 insertions(+), 9 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 349296817..eff7a9d7e 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.57 2004/12/22 12:05:45 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.58 2004/12/29 10:16:52 ph10 Exp $ Change log file for Exim from version 4.21 ------------------------------------------- @@ -236,8 +236,8 @@ Exim version 4.50 55. Some experimental protocols are using DNS PTR records for new purposes. The keys for these records are domain names, not reversed IP addresses. The - dnsdb lookup now tests whether it's key is an IP address. If not, it leaves - it alone. Component reversal etc. now happens only for IP addresses. + dnsdb PTR lookup now tests whether its key is an IP address. If not, it + leaves it alone. Component reversal etc. now happens only for IP addresses. 56. Improve error message when ldap_search() fails in OpenLDAP or Solaris LDAP. @@ -253,6 +253,14 @@ Exim version 4.50 (2) The default for smtp_banner uses $smtp_active_hostname instead of $primary_hostname. +60. The host_aton() function is supposed to be passed a string that is known + to be a valid IP address. However, in the case of IPv6 addresses, it was + not checking this. This is a hostage to fortune. Exim now panics and dies + if the condition is not met. A case was found where this could be provoked + from a dnsdb lookup; fortuitously, this particular loophole had already + been fixed by change 4.50/55 above. If there are any other similar + loopholes, the new check should stop them being exploited. + Exim version 4.43 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index bf9890bb3..30cb58ab5 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/NewStuff,v 1.23 2004/12/22 12:05:45 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/NewStuff,v 1.24 2004/12/29 10:16:52 ph10 Exp $ New Features in Exim -------------------- @@ -234,9 +234,9 @@ Version 4.50 19. The Exiscan patch is now merged into the main source. See src/EDITME for parameters for the build. -20. If the key for a dnsdb lookup is not an IP address, it is used verbatim, - without component reversal and without the addition of in-addr.arpa or - ip6.arpa. +20. If the key for a dnsdb PTR lookup is not an IP address, it is used + verbatim, without component reversal and without the addition of + in-addr.arpa or ip6.arpa. 21. Two changes related to the smtp_active_hostname option: diff --git a/src/src/host.c b/src/src/host.c index fb58ab4da..46c57683a 100644 --- a/src/src/host.c +++ b/src/src/host.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/host.c,v 1.3 2004/11/18 11:17:33 ph10 Exp $ */ +/* $Cambridge: exim/src/src/host.c,v 1.4 2004/12/29 10:16:53 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -754,12 +754,18 @@ if (Ustrchr(address, ':') != NULL) if (*p == ':') p++; - /* Split the address into components separated by colons. */ + /* Split the address into components separated by colons. The input address + is supposed to be checked for syntax. There was a case where this was + overlooked; to guard against that happening again, check here and crash if + there is a violation. */ while (*p != 0) { int len = Ustrcspn(p, ":"); if (len == 0) nulloffset = ci; + if (ci > 7) log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "Internal error: invalid IPv6 address \"%s\" passed to host_aton()", + address); component[ci++] = p; p += len; if (*p == ':') p++; -- 2.25.1