From bf485bf34df3fc2214765497a5552851c6a8977a Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 30 Dec 2014 20:39:02 +0000 Subject: [PATCH] Fix crash in mime acl when a parameter is unterminated Verified-by: Wolfgang Breyha --- src/src/mime.c | 33 ++++++++++-------------------- test/confs/4000 | 1 + test/log/4000 | 9 ++++++--- test/mail/4000.userx | 36 +++++++++++++++++++++++++++++++++ test/scripts/4000-scanning/4000 | 27 +++++++++++++++++++++++++ test/stdout/4000 | 11 ++++++++++ 6 files changed, 92 insertions(+), 25 deletions(-) diff --git a/src/src/mime.c b/src/src/mime.c index a61e9f22f..e5fe476d0 100644 --- a/src/src/mime.c +++ b/src/src/mime.c @@ -599,46 +599,35 @@ NEXT_PARAM_SEARCH: /* found an interesting parameter? */ if (strncmpic(mp->name, p, mp->namelen) == 0) { - uschar * q = p + mp->namelen; - int plen = 0; int size = 0; int ptr = 0; /* yes, grab the value and copy to its corresponding expansion variable */ - while(*q && *q != ';') /* ; terminates */ - if (*q == '"') + p += mp->namelen; + while(*p && *p != ';') /* ; terminates */ + if (*p == '"') { - q++; /* skip leading " */ - plen++; /* and account for the skip */ - while(*q && *q != '"') /* " protects ; */ - { - param_value = string_cat(param_value, &size, &ptr, q++, 1); - plen++; - } - if (*q) - { - q++; /* skip trailing " */ - plen++; - } + p++; /* skip leading " */ + while(*p && *p != '"') /* " protects ; */ + param_value = string_cat(param_value, &size, &ptr, p++, 1); + if (*p) p++; /* skip trailing " */ } else - { - param_value = string_cat(param_value, &size, &ptr, q++, 1); - plen++; - } + param_value = string_cat(param_value, &size, &ptr, p++, 1); + if (*p) p++; /* skip trailing ; */ if (param_value) { + uschar * dummy; param_value[ptr++] = '\0'; param_value = rfc2047_decode(param_value, - check_rfc2047_length, NULL, 32, NULL, &q); + check_rfc2047_length, NULL, 32, NULL, &dummy); debug_printf("Found %s MIME parameter in %s header, " "value is '%s'\n", mp->name, mime_header_list[i].name, param_value); } *mp->value = param_value; - p += mp->namelen + plen + 1; /* name=, content, ; */ goto NEXT_PARAM_SEARCH; } } diff --git a/test/confs/4000 b/test/confs/4000 index febe9a5e7..e1275c17d 100644 --- a/test/confs/4000 +++ b/test/confs/4000 @@ -8,6 +8,7 @@ spool_directory = DIR/spool log_file_path = DIR/spool/log/%slog gecos_pattern = "" gecos_name = CALLER_NAME +log_selector = +subject # ----- Main settings ----- diff --git a/test/log/4000 b/test/log/4000 index a6f5d2f70..bd4918963 100644 --- a/test/log/4000 +++ b/test/log/4000 @@ -1,9 +1,12 @@ -1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3058@test.ex +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3058@test.ex T="[exim] Re: Bug#286074: eximstats: uses message count as data for\n the \"volume\" charts" 1999-03-02 09:44:33 10HmaX-0005vi-00 => userx R=r1 T=t1 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed -1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3058@test.ex +1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3058@test.ex T="Nasty" 1999-03-02 09:44:33 10HmaY-0005vi-00 => userx R=r1 T=t1 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed -1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3059@test.ex +1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3059@test.ex T="Nasty" 1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx R=r1 T=t1 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed +1999-03-02 09:44:33 10HmbA-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss id=20041217133501.GA3059@test.ex T="Nasty3" +1999-03-02 09:44:33 10HmbA-0005vi-00 => userx R=r1 T=t1 +1999-03-02 09:44:33 10HmbA-0005vi-00 Completed diff --git a/test/mail/4000.userx b/test/mail/4000.userx index 725770d63..81b21d224 100644 --- a/test/mail/4000.userx +++ b/test/mail/4000.userx @@ -218,3 +218,39 @@ foobar --T4sUOijqQbZv57TR-- +From CALLER@myhost.test.ex Tue Mar 02 09:44:33 1999 +Received: from CALLER (helo=test.ex) + by myhost.test.ex with local-esmtp (Exim x.yz) + (envelope-from ) + id 10HmbA-0005vi-00 + for userx@test.ex; Tue, 2 Mar 1999 09:44:33 +0000 +Date: Tue, 2 Mar 1999 09:44:33 +0000 +From: J Caesar +To: a-list00@exim.org +Message-ID: <20041217133501.GA3059@test.ex> +Mime-Version: 1.0 +Content-Type: text/plain; charset="utf-8"" +Content-Disposition: inline +Subject: Nasty3 +Sender: CALLER_NAME +X-0-content-type: text/plain +X-0-filename: +X-0-charset: utf-8; +X-0-boundary: +X-0-content-disposition: inline +X-0-content-transfer-encoding: +X-0-content-id: +X-0-content-description: +X-0-is-multipart: 0 +X-0-is-coverletter: 1 +X-0-is-rfc822: 0 +X-0-decode-filename: TESTSUITE/spool/scan/10HmbA-0005vi-00/10HmbA-0005vi-00-00000 +X-0-content-size: 1 + +--T4sUOijqQbZv57TR +Content-Type: text/plain; + +foobar + +--T4sUOijqQbZv57TR-- + diff --git a/test/scripts/4000-scanning/4000 b/test/scripts/4000-scanning/4000 index 2f760bca0..de175dec5 100644 --- a/test/scripts/4000-scanning/4000 +++ b/test/scripts/4000-scanning/4000 @@ -126,3 +126,30 @@ foobar . quit **** +# +# +# This one has a 3rd rotten parameter style +# +exim -odi -bs +ehlo test.ex +mail from:<> +rcpt to: +data +Date: Fri, 17 Dec 2004 14:35:01 +0100 +From: J Caesar +To: a-list00@exim.org +Message-ID: <20041217133501.GA3059@test.ex> +Mime-Version: 1.0 +Content-Type: text/plain; charset="utf-8"" +Content-Disposition: inline +Subject: Nasty3 + +--T4sUOijqQbZv57TR +Content-Type: text/plain; + +foobar + +--T4sUOijqQbZv57TR-- +. +quit +**** diff --git a/test/stdout/4000 b/test/stdout/4000 index 42d2eefc7..ae27f526e 100644 --- a/test/stdout/4000 +++ b/test/stdout/4000 @@ -31,3 +31,14 @@ 354 Enter message, ending with "." on a line by itself 250 OK id=10HmaZ-0005vi-00 221 myhost.test.ex closing connection +220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +250-myhost.test.ex Hello CALLER at test.ex +250-SIZE 52428800 +250-8BITMIME +250-PIPELINING +250 HELP +250 OK +250 Accepted +354 Enter message, ending with "." on a line by itself +250 OK id=10HmbA-0005vi-00 +221 myhost.test.ex closing connection -- 2.25.1