commit 7680a0f: [Fix] Add temporary guard to prevent linked list exploitation
Vsevolod Stakhov
vsevolod at highsecure.ru
Mon Sep 27 13:00:04 UTC 2021
Author: Vsevolod Stakhov
Date: 2021-09-27 13:56:05 +0100
URL: https://github.com/rspamd/rspamd/commit/7680a0ffd98bc0c3ce58c00d96759c328e96d48f (HEAD -> master)
[Fix] Add temporary guard to prevent linked list exploitation
---
src/libserver/dkim.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/libserver/dkim.c b/src/libserver/dkim.c
index 762bbaa94..f83c64931 100644
--- a/src/libserver/dkim.c
+++ b/src/libserver/dkim.c
@@ -2337,6 +2337,12 @@ rspamd_dkim_canonize_header (struct rspamd_dkim_common_ctx *ctx,
gint hdr_cnt = 0;
bool use_idx = false, is_sign = ctx->is_sign;
+ /*
+ * TODO:
+ * Temporary hack to prevent linked list being misused until refactored
+ */
+ const guint max_list_iters = 1000;
+
if (count < 0) {
use_idx = true;
count = -(count); /* use i= in header content as it is arc stuff */
@@ -2356,7 +2362,7 @@ rspamd_dkim_canonize_header (struct rspamd_dkim_common_ctx *ctx,
hdr_cnt++;
- if (cur == rh) {
+ if (cur == rh || hdr_cnt >= max_list_iters) {
/* Cycle */
break;
}
@@ -2386,13 +2392,17 @@ rspamd_dkim_canonize_header (struct rspamd_dkim_common_ctx *ctx,
}
}
else {
+ /*
+ * This branch is used for ARC headers, and it orders them based on
+ * i=<number> string and not their real order in the list of headers
+ */
gchar idx_buf[16];
- gint id_len;
+ gint id_len, i;
id_len = rspamd_snprintf (idx_buf, sizeof (idx_buf), "i=%d;",
count);
- for (cur = rh->prev; ; cur = cur->prev) {
+ for (cur = rh->prev, i = 0; i < max_list_iters; cur = cur->prev, i ++) {
if (cur->decoded &&
rspamd_substring_search (cur->decoded, strlen (cur->decoded),
idx_buf, id_len) != -1) {
More information about the Commits
mailing list