blob: b522203a7730186122fef400f961184e0095beac (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
From 4263f395efd136dece52d765dfcff3c96f17506e Mon Sep 17 00:00:00 2001
From: Phil Pennock <pdp@exim.org>
Date: Wed, 24 Oct 2012 23:26:29 -0400
Subject: [PATCH 1/3] SECURITY: DKIM DNS buffer overflow protection
CVE-2012-5671
malloc/heap overflow, with a 60kB window of overwrite.
Requires DNS under control of person sending email, leaves plenty of
evidence, but is very likely exploitable on OSes that have not been
well hardened.
--- exim4-4.72.orig/src/dkim.c
+++ exim4-4.72/src/dkim.c
@@ -44,6 +44,9 @@ int dkim_exim_query_dns_txt(char *name,
"%.*s", (int)len, (char *)((rr->data)+rr_offset));
rr_offset+=len;
answer_offset+=len;
+ if (answer_offset >= PDKIM_DNS_TXT_MAX_RECLEN) {
+ return PDKIM_FAIL;
+ }
}
}
else return PDKIM_FAIL;
--- exim4-4.72.orig/src/pdkim/pdkim.h
+++ exim4-4.72/src/pdkim/pdkim.h
@@ -29,8 +29,8 @@
/* -------------------------------------------------------------------------- */
/* Length of the preallocated buffer for the "answer" from the dns/txt
- callback function. */
-#define PDKIM_DNS_TXT_MAX_RECLEN 4096
+ callback function. This should match the maximum RDLENGTH from DNS. */
+#define PDKIM_DNS_TXT_MAX_RECLEN (1 << 16)
/* -------------------------------------------------------------------------- */
/* Function success / error codes */
|
