commit 04be0f2: [Fix] Fix parsing of the mask values that are invalid

Tue May 30 15:35:03 UTC 2023

Author: Vsevolod Stakhov
Date: 2023-05-30 16:14:04 +0100
URL: https://github.com/rspamd/rspamd/commit/04be0f217c3a9f788cfe61a6f6c7296fb7628a52

[Fix] Fix parsing of the mask values that are invalid

---
 src/libserver/spf.c | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/src/libserver/spf.c b/src/libserver/spf.c
index a422d2819..06352f5db 100644
--- a/src/libserver/spf.c
+++ b/src/libserver/spf.c
@@ -1458,13 +1458,22 @@ parse_spf_ip4 (struct spf_record *rec, struct spf_addr *addr)
 	}
 
 	if (slash) {
-		mask = strtoul (slash + 1, NULL, 10);
+		gchar *end = NULL;
+
+		mask = strtoul (slash + 1, &end, 10);
 		if (mask > 32) {
 			msg_info_spf ("invalid mask for ip4 element for %s: %s", addr->spf_string,
 					rec->sender_domain);
 			return FALSE;
 		}
 
+		if (end != NULL && !g_ascii_isspace(*end) && *end != '\0') {
+			/* Invalid mask definition */
+			msg_info_spf ("invalid mask for ip4 element for %s: %s", addr->spf_string,
+				rec->sender_domain);
+			return FALSE;
+		}
+
 		addr->m.dual.mask_v4 = mask;
 
 		if (mask < min_valid_mask) {
@@ -1525,13 +1534,21 @@ parse_spf_ip6 (struct spf_record *rec, struct spf_addr *addr)
 	}
 
 	if (slash) {
-		mask = strtoul (slash + 1, NULL, 10);
+		gchar *end = NULL;
+		mask = strtoul (slash + 1, &end, 10);
 		if (mask > 128) {
 			msg_info_spf ("invalid mask for ip6 element for %s: %s", addr->spf_string,
 					rec->sender_domain);
 			return FALSE;
 		}
 
+		if (end != NULL && !g_ascii_isspace(*end) && *end != '\0') {
+			/* Invalid mask definition */
+			msg_info_spf ("invalid mask for ip4 element for %s: %s", addr->spf_string,
+				rec->sender_domain);
+			return FALSE;
+		}
+
 		addr->m.dual.mask_v6 = mask;
 
 		if (mask < min_valid_mask) {
@@ -1823,7 +1840,7 @@ expand_spf_macro (struct spf_record *rec, struct spf_resolved_element *resolved,
 {
 	const gchar *p, *macro_value = NULL;
 	gchar *c, *new, *tmp, delim = '.';
-	gsize len = 0, slen = 0, macro_len = 0;
+	gsize len = 0, macro_len = 0;
 	gint state = 0, ndelim = 0;
 	gchar ip_buf[64 + 1]; /* cannot use INET6_ADDRSTRLEN as we use ptr lookup */
 	gboolean need_expand = FALSE, reversed;
@@ -1846,7 +1863,6 @@ expand_spf_macro (struct spf_record *rec, struct spf_resolved_element *resolved,
 				len++;
 			}
 
-			slen++;
 			p++;
 			break;
 		case 1:
@@ -1872,7 +1888,7 @@ expand_spf_macro (struct spf_record *rec, struct spf_resolved_element *resolved,
 				return begin;
 			}
 			p++;
-			slen++;
+
 			break;
 		case 2:
 			/* Read macro name */
@@ -1933,7 +1949,6 @@ expand_spf_macro (struct spf_record *rec, struct spf_resolved_element *resolved,
 				return begin;
 			}
 			p++;
-			slen++;
 			state = 3;
 			break;
 		case 3:
@@ -1943,7 +1958,6 @@ expand_spf_macro (struct spf_record *rec, struct spf_resolved_element *resolved,
 				need_expand = TRUE;
 			}
 			p++;
-			slen++;
 			break;
 
 		default:
