From ef8406816ea0fc82b5d80009b30cb83ad9af6f2f Mon Sep 17 00:00:00 2001 From: Phil Pennock Date: Fri, 4 May 2012 18:22:16 -0700 Subject: [PATCH] Check localhost_number expansion for failure. Avoids NULL dereference. Report and patch from Alun Jones. Also a couple of SIZE_T_FMT sizeof() printf string fixes while I was in there. fixes bug 1122 --- doc/doc-txt/ChangeLog | 3 +++ src/src/acl.c | 2 +- src/src/readconf.c | 11 ++++++++--- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 55cde6dcf..80e8edf97 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -78,6 +78,9 @@ PP/17 OpenSSL: new expansion var $tls_sni, which if used in tls_certificate Also option tls_sni on SMTP Transports. Also clear $tls_bits correctly before an outbound SMTP session. New log_selector, +tls_sni. +PP/18 Bugzilla 1122 - check localhost_number expansion for failure, avoid + NULL dereference. Report and patch from Alun Jones. + Exim version 4.77 ----------------- diff --git a/src/src/acl.c b/src/src/acl.c index 3cafd8184..b93ac6965 100644 --- a/src/src/acl.c +++ b/src/src/acl.c @@ -2093,7 +2093,7 @@ uschar buffer[STRING_SPRINTF_BUFFER_SIZE]; va_start(ap, format); if (!string_vformat(buffer, sizeof(buffer), format, ap)) log_write(0, LOG_MAIN|LOG_PANIC_DIE, - "string_sprintf expansion was longer than %ld", sizeof(buffer)); + "string_sprintf expansion was longer than " SIZE_T_FMT, sizeof(buffer)); va_end(ap); *log_msgptr = string_sprintf( "error in arguments to \"ratelimit\" condition: %s", buffer); diff --git a/src/src/readconf.c b/src/src/readconf.c index c62235916..b35811e48 100644 --- a/src/src/readconf.c +++ b/src/src/readconf.c @@ -520,7 +520,7 @@ while (isalnum(*s) || *s == '_') { if (namelen >= sizeof(name) - 1) log_write(0, LOG_PANIC_DIE|LOG_CONFIG_IN, - "macro name too long (maximum is %d characters)", sizeof(name) - 1); + "macro name too long (maximum is " SIZE_T_FMT " characters)", sizeof(name) - 1); name[namelen++] = *s++; } name[namelen] = 0; @@ -3189,9 +3189,14 @@ so as to ensure that everything else is set up before the expansion. */ if (host_number_string != NULL) { + long int n; uschar *end; uschar *s = expand_string(host_number_string); - long int n = Ustrtol(s, &end, 0); + if (s == NULL) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, + "failed to expand localhost_number \"%s\": %s", + host_number_string, expand_string_message); + n = Ustrtol(s, &end, 0); while (isspace(*end)) end++; if (*end != 0) log_write(0, LOG_PANIC_DIE|LOG_CONFIG, @@ -3607,7 +3612,7 @@ else if (strncmpic(pp, US"tls_required", p - pp) == 0) *basic_errno = ERRNO_TLSREQUIRED; else if (len != 1 || Ustrncmp(pp, "*", 1) != 0) - return string_sprintf("unknown or malformed retry error \"%.*s\"", p-pp, pp); + return string_sprintf("unknown or malformed retry error \"%.*s\"", (int) (p-pp), pp); return NULL; } -- 2.25.1