You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spamassassin.apache.org by si...@apache.org on 2006/04/06 21:18:01 UTC
svn commit: r392044 - in /spamassassin/branches/3.1: spamc/libspamc.c
t/data/spam/bsmtpnull t/spamc_B.t
Author: sidney
Date: Thu Apr 6 12:17:59 2006
New Revision: 392044
URL: http://svn.apache.org/viewcvs?rev=392044&view=rev
Log:
bug 4707: seg fault from buffer overflow not realistically exploitable but good to fix
Added:
spamassassin/branches/3.1/t/data/spam/bsmtpnull
Modified:
spamassassin/branches/3.1/spamc/libspamc.c
spamassassin/branches/3.1/t/spamc_B.t
Modified: spamassassin/branches/3.1/spamc/libspamc.c
URL: http://svn.apache.org/viewcvs/spamassassin/branches/3.1/spamc/libspamc.c?rev=392044&r1=392043&r2=392044&view=diff
==============================================================================
--- spamassassin/branches/3.1/spamc/libspamc.c (original)
+++ spamassassin/branches/3.1/spamc/libspamc.c Thu Apr 6 12:17:59 2006
@@ -97,7 +97,7 @@
#undef DO_CONNECT_DEBUG_SYSLOGS
/* or #define DO_CONNECT_DEBUG_SYSLOGS 1 */
-static const int ESC_PASSTHROUGHRAW = EX__MAX + 666;
+/* static const int ESC_PASSTHROUGHRAW = EX__MAX + 666; No longer seems to be used */
/* set EXPANSION_ALLOWANCE to something more than might be
added to a message in X-headers and the report template */
@@ -517,8 +517,9 @@
static int _message_read_bsmtp(int fd, struct message *m)
{
- unsigned int i, j;
+ unsigned int i, j, p_len;
char prev;
+ char* p;
_clear_message(m);
if ((m->raw = malloc(m->max_len + 1)) == NULL)
@@ -535,31 +536,34 @@
m->type = MESSAGE_ERROR;
if (m->raw_len > m->max_len)
return EX_TOOBIG;
- m->pre = m->raw;
- for (i = 0; i < m->raw_len - 6; i++) {
- if ((m->raw[i] == '\n') &&
- (m->raw[i + 1] == 'D' || m->raw[i + 1] == 'd') &&
- (m->raw[i + 2] == 'A' || m->raw[i + 2] == 'a') &&
- (m->raw[i + 3] == 'T' || m->raw[i + 3] == 't') &&
- (m->raw[i + 4] == 'A' || m->raw[i + 4] == 'a') &&
- ((m->raw[i + 5] == '\r' && m->raw[i + 6] == '\n')
- || m->raw[i + 5] == '\n')) {
- /* Found it! */
- i += 6;
- if (m->raw[i - 1] == '\r')
- i++;
- m->pre_len = i;
- m->msg = m->raw + i;
- m->msg_len = m->raw_len - i;
- break;
+ p = m->pre = m->raw;
+ /* Search for \nDATA\n which marks start of actual message */
+ while ((p_len = (m->raw_len - (p - m->raw))) > 8) { /* leave room for at least \nDATA\n.\n */
+ char* q = memchr(p, '\n', p_len - 8); /* find next \n then see if start of \nDATA\n */
+ if (q == NULL) break;
+ q++;
+ if (((q[0]|0x20) == 'd') && /* case-insensitive ASCII comparison */
+ ((q[1]|0x20) == 'a') &&
+ ((q[2]|0x20) == 't') &&
+ ((q[3]|0x20) == 'a')) {
+ q+=4;
+ if (q[0] == '\r') ++q;
+ if (*(q++) == '\n') { /* leave q at start of message if we found it */
+ m->msg = q;
+ m->pre_len = q - m->raw;
+ m->msg_len = m->raw_len - m->pre_len;
+ break;
}
+ }
+ p = q; // the above code ensures no other '\n' comes before q
}
if (m->msg == NULL)
return EX_DATAERR;
/* Find the end-of-DATA line */
+ /* if bad format with no end ".\n" will truncate the last two characters of the buffer */
prev = '\n';
- for (i = j = 0; i < m->msg_len; i++) {
+ for (i = j = 0; (i+2) < m->msg_len; i++) { /* (i+2) prevents out of bound reference msg[i+2] */
if (prev == '\n' && m->msg[i] == '.') {
/* Dot at the beginning of a line */
if ((m->msg[i + 1] == '\r' && m->msg[i + 2] == '\n')
Added: spamassassin/branches/3.1/t/data/spam/bsmtpnull
URL: http://svn.apache.org/viewcvs/spamassassin/branches/3.1/t/data/spam/bsmtpnull?rev=392044&view=auto
==============================================================================
--- spamassassin/branches/3.1/t/data/spam/bsmtpnull (added)
+++ spamassassin/branches/3.1/t/data/spam/bsmtpnull Thu Apr 6 12:17:59 2006
@@ -0,0 +1,2 @@
+
+
Modified: spamassassin/branches/3.1/t/spamc_B.t
URL: http://svn.apache.org/viewcvs/spamassassin/branches/3.1/t/spamc_B.t?rev=392044&r1=392043&r2=392044&view=diff
==============================================================================
--- spamassassin/branches/3.1/t/spamc_B.t (original)
+++ spamassassin/branches/3.1/t/spamc_B.t Thu Apr 6 12:17:59 2006
@@ -3,7 +3,7 @@
use lib '.'; use lib 't';
use SATest; sa_t_init("spamc_B");
-use Test; plan tests => ($SKIP_SPAMC_TESTS ? 0 : 8);
+use Test; plan tests => ($SKIP_SPAMC_TESTS ? 0 : 9);
exit if $SKIP_SPAMC_TESTS;
# ---------------------------------------------------------------------------
@@ -26,6 +26,7 @@
);
start_spamd("-L");
+ok (spamcrun ("-B < data/spam/bsmtpnull", \&patterns_run_cb));
ok (spamcrun ("-B < data/spam/bsmtp", \&patterns_run_cb));
ok_all_patterns();
stop_spamd();