You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by si...@apache.org on 2006/04/06 21:18:01 UTC

svn commit: r392044 - in /spamassassin/branches/3.1: spamc/libspamc.c t/data/spam/bsmtpnull t/spamc_B.t

Author: sidney
Date: Thu Apr  6 12:17:59 2006
New Revision: 392044

URL: http://svn.apache.org/viewcvs?rev=392044&view=rev
Log:
bug 4707: seg fault from buffer overflow not realistically exploitable but good to fix

Added:
    spamassassin/branches/3.1/t/data/spam/bsmtpnull
Modified:
    spamassassin/branches/3.1/spamc/libspamc.c
    spamassassin/branches/3.1/t/spamc_B.t

Modified: spamassassin/branches/3.1/spamc/libspamc.c
URL: http://svn.apache.org/viewcvs/spamassassin/branches/3.1/spamc/libspamc.c?rev=392044&r1=392043&r2=392044&view=diff
==============================================================================
--- spamassassin/branches/3.1/spamc/libspamc.c (original)
+++ spamassassin/branches/3.1/spamc/libspamc.c Thu Apr  6 12:17:59 2006
@@ -97,7 +97,7 @@
 #undef DO_CONNECT_DEBUG_SYSLOGS
 /* or #define DO_CONNECT_DEBUG_SYSLOGS 1 */
 
-static const int ESC_PASSTHROUGHRAW = EX__MAX + 666;
+/* static const int ESC_PASSTHROUGHRAW = EX__MAX + 666;  No longer seems to be used */
 
 /* set EXPANSION_ALLOWANCE to something more than might be
    added to a message in X-headers and the report template */
@@ -517,8 +517,9 @@
 
 static int _message_read_bsmtp(int fd, struct message *m)
 {
-    unsigned int i, j;
+    unsigned int i, j, p_len;
     char prev;
+    char* p;
 
     _clear_message(m);
     if ((m->raw = malloc(m->max_len + 1)) == NULL)
@@ -535,31 +536,34 @@
     m->type = MESSAGE_ERROR;
     if (m->raw_len > m->max_len)
 	return EX_TOOBIG;
-    m->pre = m->raw;
-    for (i = 0; i < m->raw_len - 6; i++) {
-	if ((m->raw[i] == '\n') &&
-	    (m->raw[i + 1] == 'D' || m->raw[i + 1] == 'd') &&
-	    (m->raw[i + 2] == 'A' || m->raw[i + 2] == 'a') &&
-	    (m->raw[i + 3] == 'T' || m->raw[i + 3] == 't') &&
-	    (m->raw[i + 4] == 'A' || m->raw[i + 4] == 'a') &&
-	    ((m->raw[i + 5] == '\r' && m->raw[i + 6] == '\n')
-	     || m->raw[i + 5] == '\n')) {
-	    /* Found it! */
-	    i += 6;
-	    if (m->raw[i - 1] == '\r')
-		i++;
-	    m->pre_len = i;
-	    m->msg = m->raw + i;
-	    m->msg_len = m->raw_len - i;
-	    break;
+    p = m->pre = m->raw;
+    /* Search for \nDATA\n which marks start of actual message */
+    while ((p_len = (m->raw_len - (p - m->raw))) > 8) { /* leave room for at least \nDATA\n.\n */
+      char* q = memchr(p, '\n', p_len - 8);  /* find next \n then see if start of \nDATA\n */
+      if (q == NULL) break;
+      q++;
+      if (((q[0]|0x20) == 'd') && /* case-insensitive ASCII comparison */
+	  ((q[1]|0x20) == 'a') &&
+	  ((q[2]|0x20) == 't') &&
+	  ((q[3]|0x20) == 'a')) {
+	q+=4;
+	if (q[0] == '\r') ++q;
+	if (*(q++) == '\n') {  /* leave q at start of message if we found it */
+	  m->msg = q;
+	  m->pre_len = q - m->raw;
+	  m->msg_len = m->raw_len - m->pre_len;
+	  break;
 	}
+      }
+      p = q; // the above code ensures no other '\n' comes before q
     }
     if (m->msg == NULL)
 	return EX_DATAERR;
 
     /* Find the end-of-DATA line */
+    /* if bad format with no end ".\n" will truncate the last two characters of the buffer */
     prev = '\n';
-    for (i = j = 0; i < m->msg_len; i++) {
+    for (i = j = 0; (i+2) < m->msg_len; i++) { /* (i+2) prevents out of bound reference msg[i+2] */
 	if (prev == '\n' && m->msg[i] == '.') {
 	    /* Dot at the beginning of a line */
 	    if ((m->msg[i + 1] == '\r' && m->msg[i + 2] == '\n')

Added: spamassassin/branches/3.1/t/data/spam/bsmtpnull
URL: http://svn.apache.org/viewcvs/spamassassin/branches/3.1/t/data/spam/bsmtpnull?rev=392044&view=auto
==============================================================================
--- spamassassin/branches/3.1/t/data/spam/bsmtpnull (added)
+++ spamassassin/branches/3.1/t/data/spam/bsmtpnull Thu Apr  6 12:17:59 2006
@@ -0,0 +1,2 @@
+
+

Modified: spamassassin/branches/3.1/t/spamc_B.t
URL: http://svn.apache.org/viewcvs/spamassassin/branches/3.1/t/spamc_B.t?rev=392044&r1=392043&r2=392044&view=diff
==============================================================================
--- spamassassin/branches/3.1/t/spamc_B.t (original)
+++ spamassassin/branches/3.1/t/spamc_B.t Thu Apr  6 12:17:59 2006
@@ -3,7 +3,7 @@
 use lib '.'; use lib 't';
 use SATest; sa_t_init("spamc_B");
 
-use Test; plan tests => ($SKIP_SPAMC_TESTS ? 0 : 8);
+use Test; plan tests => ($SKIP_SPAMC_TESTS ? 0 : 9);
 
 exit if $SKIP_SPAMC_TESTS;
 # ---------------------------------------------------------------------------
@@ -26,6 +26,7 @@
 );
 
 start_spamd("-L");
+ok (spamcrun ("-B < data/spam/bsmtpnull", \&patterns_run_cb));
 ok (spamcrun ("-B < data/spam/bsmtp", \&patterns_run_cb));
 ok_all_patterns();
 stop_spamd();