1 Date: Sun, 1 Oct 2023 11:33:26 +0200
\r
2 To: exim-dev@lists.exim.org
\r
3 From: Florian Zumbiehl via Exim-dev <exim-dev@lists.exim.org>
\r
7 below you find a patch that fixes some (probably three?) of what I guess are
\r
8 the vulnerabilities reported by ZDI.
\r
10 Please note that the patch is only mildly tested, it is developed based on
\r
11 the git master branch, but can be applied to older versions with minor
\r
12 massaging. If you go back far enough, proxy.c was part of smtp_in.c, but if
\r
13 you adjust for that, the patch can be made to apply there, too.
\r
15 Obviously, I have no idea whether this actually addresses what ZDI has
\r
16 reported, but if not, these probably should be fixed, too, and if so, given
\r
17 the fact that I managed to rather easily find these vulnerabilities based
\r
18 on the information that's publicly available, I don't think there is much
\r
19 point to trying to keep this secret any longer--if anything, it's
\r
22 Also mind you that this is a hot fix, it's neither elegant, nor does it do
\r
23 any useful error reporting, the goal was simply to prevent out of bounds
\r
30 diff --git a/src/src/auths/external.c b/src/src/auths/external.c
\r
31 index 078aad0..54966e6 100644
\r
32 --- a/src/src/auths/external.c
\r
33 +++ b/src/src/auths/external.c
\r
34 @@ -101,6 +101,9 @@ if (expand_nmax == 0) /* skip if rxd data */
\r
35 if ((rc = auth_prompt(CUS"")) != OK)
\r
38 +if (expand_nmax != 1)
\r
41 if (ob->server_param2)
\r
43 uschar * s = expand_string(ob->server_param2);
\r
44 diff --git a/src/src/proxy.c b/src/src/proxy.c
\r
45 index fbce111..8dd7034 100644
\r
46 --- a/src/src/proxy.c
\r
47 +++ b/src/src/proxy.c
\r
48 @@ -93,6 +93,8 @@ while (capacity > 0)
\r
49 do { ret = read(fd, to, 1); } while (ret == -1 && errno == EINTR && !had_command_timeout);
\r
57 @@ -254,6 +256,8 @@ if ((ret == PROXY_INITIAL_READ) && (memcmp(&hdr.v2, v2sig, sizeof(v2sig)) == 0))
\r
63 /* The v2 header will always be 16 bytes per the spec. */
\r
64 size = 16 + ntohs(hdr.v2.len);
\r
65 DEBUG(D_receive) debug_printf("Detected PROXYv2 header, size %d (limit %d)\n",
\r
66 @@ -274,7 +278,7 @@ if ((ret == PROXY_INITIAL_READ) && (memcmp(&hdr.v2, v2sig, sizeof(v2sig)) == 0))
\r
68 retmore = read(fd, (uschar*)&hdr + ret, size-ret);
\r
69 } while (retmore == -1 && errno == EINTR && !had_command_timeout);
\r
70 - if (retmore == -1)
\r
73 DEBUG(D_receive) proxy_debug(US &hdr, ret, ret + retmore);
\r
75 @@ -297,6 +301,8 @@ if (ret >= 16 && memcmp(&hdr.v2, v2sig, 12) == 0)
\r
78 case 0x11: /* TCPv4 address type */
\r
82 tmpaddr.sin_addr.s_addr = hdr.v2.addr.ip4.src_addr;
\r
83 inet_ntop(AF_INET, &tmpaddr.sin_addr, CS &tmpip, sizeof(tmpip));
\r
84 @@ -323,6 +329,8 @@ if (ret >= 16 && memcmp(&hdr.v2, v2sig, 12) == 0)
\r
85 proxy_external_port = tmpport;
\r
87 case 0x21: /* TCPv6 address type */
\r
91 memmove(tmpaddr6.sin6_addr.s6_addr, hdr.v2.addr.ip6.src_addr, 16);
\r
92 inet_ntop(AF_INET6, &tmpaddr6.sin6_addr, CS &tmpip6, sizeof(tmpip6));
\r
93 @@ -381,10 +389,13 @@ else if (ret >= 8 && memcmp(hdr.v1.line, "PROXY", 5) == 0)
\r
99 + hdr.v1.line[ret] = 0;
\r
100 p = string_copy(hdr.v1.line);
\r
101 end = memchr(p, '\r', ret - 1);
\r
103 - if (!end || (end == (uschar*)&hdr + ret) || end[1] != '\n')
\r
104 + if (!end || end[1] != '\n')
\r
106 DEBUG(D_receive) debug_printf("Partial or invalid PROXY header\n");
\r
110 ## subscription configuration (requires account):
\r
111 ## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
\r
112 ## unsubscribe (doesn't require an account):
\r
113 ## exim-dev-unsubscribe@lists.exim.org
\r
114 ## Exim details at http://www.exim.org/
\r
115 ## Please use the Wiki with this list - http://wiki.exim.org/
\r