aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorColin Percival <cperciva@FreeBSD.org>2006-06-14 16:01:20 +0000
committerColin Percival <cperciva@FreeBSD.org>2006-06-14 16:01:20 +0000
commit2b73814796e8ed6bd151ef0029914c71fa007b61 (patch)
tree885f677d688d70a13e5a6b1e9d77b070672d5ade
parent0ab3a30098f59e4ae9edbf73f0d07901a53afce6 (diff)
downloadsrc-2b73814796e8ed6bd151ef0029914c71fa007b61.tar.gz
src-2b73814796e8ed6bd151ef0029914c71fa007b61.zip
Correct a bug in the handling of multipart messages by sendmail(8)
which can allow a malformed message to crash a sendmail queue processing process. Security: FreeBSD-SA-06:17.sendmail Approved by: so (cperciva)
Notes
Notes: svn path=/releng/4.11/; revision=159608
-rw-r--r--UPDATING5
-rw-r--r--contrib/sendmail/src/deliver.c4
-rw-r--r--contrib/sendmail/src/mime.c36
-rw-r--r--contrib/sendmail/src/sendmail.h3
-rw-r--r--sys/conf/newvers.sh2
5 files changed, 39 insertions, 11 deletions
diff --git a/UPDATING b/UPDATING
index 721fb37e38ba..d1c722bbc6d7 100644
--- a/UPDATING
+++ b/UPDATING
@@ -17,6 +17,11 @@ minimal number of processes, if possible, for that patch. For those
updates that don't have an advisory, or to be safe, you can do a full
build and install as described in the COMMON ITEMS section.
+20060614: p19 FreeBSD-SA-06:17.sendmail
+ Correct a bug in the handling of multipart messages by sendmail(8)
+ which can allow a malformed message to crash a sendmail queue
+ processing process.
+
20060531: p18 FreeBSD-SA-06:16.smbfs
Correct a bug in the handling of backslash characters in smbfs
which can allow an attacker to escape from a chroot(2).
diff --git a/contrib/sendmail/src/deliver.c b/contrib/sendmail/src/deliver.c
index c0656dabd425..b9d8e5e11cde 100644
--- a/contrib/sendmail/src/deliver.c
+++ b/contrib/sendmail/src/deliver.c
@@ -4600,7 +4600,7 @@ putbody(mci, e, separator)
/* now do the hard work */
boundaries[0] = NULL;
mci->mci_flags |= MCIF_INHEADER;
- if (mime8to7(mci, e->e_header, e, boundaries, M87F_OUTER) ==
+ if (mime8to7(mci, e->e_header, e, boundaries, M87F_OUTER, 0) ==
SM_IO_EOF)
goto writeerr;
}
@@ -4631,7 +4631,7 @@ putbody(mci, e, separator)
SuprErrs = true;
if (mime8to7(mci, e->e_header, e, boundaries,
- M87F_OUTER|M87F_NO8TO7) == SM_IO_EOF)
+ M87F_OUTER|M87F_NO8TO7, 0) == SM_IO_EOF)
goto writeerr;
/* restore SuprErrs */
diff --git a/contrib/sendmail/src/mime.c b/contrib/sendmail/src/mime.c
index 2057ac71f907..e9047a1c822f 100644
--- a/contrib/sendmail/src/mime.c
+++ b/contrib/sendmail/src/mime.c
@@ -80,6 +80,7 @@ static bool MapNLtoCRLF;
** boundaries -- the currently pending message boundaries.
** NULL if we are processing the outer portion.
** flags -- to tweak processing.
+** level -- recursion level.
**
** Returns:
** An indicator of what terminated the message part:
@@ -96,12 +97,13 @@ struct args
};
int
-mime8to7(mci, header, e, boundaries, flags)
+mime8to7(mci, header, e, boundaries, flags, level)
register MCI *mci;
HDR *header;
register ENVELOPE *e;
char **boundaries;
int flags;
+ int level;
{
register char *p;
int linelen;
@@ -122,6 +124,18 @@ mime8to7(mci, header, e, boundaries, flags)
char pvpbuf[MAXLINE];
extern unsigned char MimeTokenTab[256];
+ if (level > MAXMIMENESTING)
+ {
+ if (!bitset(EF_TOODEEP, e->e_flags))
+ {
+ if (tTd(43, 4))
+ sm_dprintf("mime8to7: too deep, level=%d\n",
+ level);
+ usrerr("mime8to7: recursion level %d exceeded",
+ level);
+ e->e_flags |= EF_DONT_MIME|EF_TOODEEP;
+ }
+ }
if (tTd(43, 1))
{
sm_dprintf("mime8to7: flags = %x, boundaries =", flags);
@@ -242,7 +256,9 @@ mime8to7(mci, header, e, boundaries, flags)
*/
if (sm_strcasecmp(type, "multipart") == 0 &&
- (!bitset(M87F_NO8BIT, flags) || bitset(M87F_NO8TO7, flags)))
+ (!bitset(M87F_NO8BIT, flags) || bitset(M87F_NO8TO7, flags)) &&
+ !bitset(EF_TOODEEP, e->e_flags)
+ )
{
if (sm_strcasecmp(subtype, "digest") == 0)
@@ -286,10 +302,13 @@ mime8to7(mci, header, e, boundaries, flags)
}
if (i >= MAXMIMENESTING)
{
- usrerr("mime8to7: multipart nesting boundary too deep");
+ if (tTd(43, 4))
+ sm_dprintf("mime8to7: too deep, i=%d\n", i);
+ if (!bitset(EF_TOODEEP, e->e_flags))
+ usrerr("mime8to7: multipart nesting boundary too deep");
/* avoid bounce loops */
- e->e_flags |= EF_DONT_MIME;
+ e->e_flags |= EF_DONT_MIME|EF_TOODEEP;
}
else
{
@@ -333,7 +352,8 @@ mime8to7(mci, header, e, boundaries, flags)
goto writeerr;
if (tTd(43, 101))
putline("+++after putheader", mci);
- bt = mime8to7(mci, hdr, e, boundaries, flags);
+ bt = mime8to7(mci, hdr, e, boundaries, flags,
+ level + 1);
if (bt == SM_IO_EOF)
goto writeerr;
}
@@ -374,7 +394,8 @@ mime8to7(mci, header, e, boundaries, flags)
if (sm_strcasecmp(type, "message") == 0)
{
- if (!wordinclass(subtype, 's'))
+ if (!wordinclass(subtype, 's') ||
+ bitset(EF_TOODEEP, e->e_flags))
{
flags |= M87F_NO8BIT;
}
@@ -397,7 +418,8 @@ mime8to7(mci, header, e, boundaries, flags)
!bitset(M87F_NO8TO7, flags) &&
!putline("MIME-Version: 1.0", mci))
goto writeerr;
- bt = mime8to7(mci, hdr, e, boundaries, flags);
+ bt = mime8to7(mci, hdr, e, boundaries, flags,
+ level + 1);
mci->mci_flags &= ~MCIF_INMIME;
return bt;
}
diff --git a/contrib/sendmail/src/sendmail.h b/contrib/sendmail/src/sendmail.h
index 84d8234f1902..953557afb00d 100644
--- a/contrib/sendmail/src/sendmail.h
+++ b/contrib/sendmail/src/sendmail.h
@@ -941,6 +941,7 @@ struct envelope
#define EF_TOOBIG 0x02000000L /* message is too big */
#define EF_SPLIT 0x04000000L /* envelope has been split */
#define EF_UNSAFE 0x08000000L /* unsafe: read from untrusted source */
+#define EF_TOODEEP 0x10000000L /* message is nested too deep */
#define DLVR_NOTIFY 0x01
#define DLVR_RETURN 0x02
@@ -1647,7 +1648,7 @@ EXTERN unsigned long PrivacyFlags; /* privacy flags */
/* functions */
extern bool mime7to8 __P((MCI *, HDR *, ENVELOPE *));
-extern int mime8to7 __P((MCI *, HDR *, ENVELOPE *, char **, int));
+extern int mime8to7 __P((MCI *, HDR *, ENVELOPE *, char **, int, int));
/*
** Flags passed to returntosender.
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index ce34c4a7aa93..482232675d68 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -36,7 +36,7 @@
TYPE="FreeBSD"
REVISION="4.11"
-BRANCH="RELEASE-p18"
+BRANCH="RELEASE-p19"
RELEASE="${REVISION}-${BRANCH}"
VERSION="${TYPE} ${RELEASE}"