Fix crash from SRV lookup hitting a CNAME

diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 5a42f0e7cecea42032c3e39238e684585bc0679c..2239d9c16cc8a6415bba78e4f4978ce4ae5b7c5d 100644 (file)
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -35,6 +35,10 @@ JH/07 GnuTLS: Our use of late (post-handshake) certificate verification, under
 JB/01 Bug 2375: fix expansions of 822 addresses having comments in local-part
       and/or domain.  Found and fixed by Jason Betts.
 
+JH/08 Add hardening against SRV & TLSA lookups the hit CNAMEs (a nonvalid
+      configuration).  If a CNAME target was not a wellformed name pattern, a
+      crash could result.
+
 
 Exim version 4.92
 -----------------

diff --git a/src/src/dns.c b/src/src/dns.c
index dd929d49fc0bc4e3fb7e1a27954965b85d139dde..6ef6b7784b03343bff3a2b3fae635577d8300d37 100644 (file)
--- a/src/src/dns.c
+++ b/src/src/dns.c
@@ -710,7 +710,11 @@ lookup, which constructs the names itself, so they should be OK. Besides,
 bitstring labels don't conform to normal name syntax. (But the aren't used any
 more.)
 
-For SRV records, we omit the initial _smtp._tcp. components at the start. */
+For SRV records, we omit the initial _smtp._tcp. components at the start.
+The check has been seen to bite on the destination of a SRV lookup that
+initiall hit a CNAME, for which the next name had only two components.
+RFC2782 makes no mention of the possibiility of CNAMES, but the Wikipedia
+article on SRV says they are not a valid configuration. */
 
 #ifndef STAND_ALONE   /* Omit this for stand-alone tests */
 
@@ -726,8 +730,8 @@ if (check_dns_names_pattern[0] != 0 && type != T_PTR && type != T_TXT)
 
   if (type == T_SRV || type == T_TLSA)
     {
-    while (*checkname++ != '.');
-    while (*checkname++ != '.');
+    while (*checkname && *checkname++ != '.') ;
+    while (*checkname && *checkname++ != '.') ;
     }
 
   if (pcre_exec(regex_check_dns_names, NULL, CCS checkname, Ustrlen(checkname),