* Fix parsing txt records to avoid reading of uninitialized data

diff --git a/src/dns.c b/src/dns.c
index cd80163f03969c14d70c24f637b600b4f10d4666..5197aae66d0311b126ed99bd4e50b94e0c64c318 100644 (file)
--- a/src/dns.c
+++ b/src/dns.c
@@ -762,7 +762,7 @@ end:
 static gint
 dns_parse_rr (guint8 *in, union rspamd_reply_element *elt, guint8 **pos, struct rspamd_dns_reply *rep, int *remain)
 {
-       guint8 *p = *pos;
+       guint8 *p = *pos, parts;
        guint16 type, datalen, txtlen, copied;
        gboolean parsed = FALSE;
 
@@ -831,9 +831,11 @@ dns_parse_rr (guint8 *in, union rspamd_reply_element *elt, guint8 **pos, struct
                        elt->txt.data = memory_pool_alloc (rep->request->pool, datalen + 1);
                        /* Now we should compose data from parts */
                        copied = 0;
-                       while (copied < datalen) {
+                       parts = 0;
+                       while (copied + parts < datalen) {
                                txtlen = *p;
-                               if (txtlen + copied < datalen) {
+                               if (txtlen + copied + parts <= datalen) {
+                                       parts ++;
                                        memcpy (elt->txt.data + copied, p + 1, txtlen);
                                        copied += txtlen;
                                        p += txtlen + 1;

diff --git a/src/plugins/fuzzy_check.c b/src/plugins/fuzzy_check.c
index 971e747f2aef2c8f6d47ab1a716cc8bccec8aebe..4567f62cf14cf3292c9b39998dc8ce197d379550 100644 (file)
--- a/src/plugins/fuzzy_check.c
+++ b/src/plugins/fuzzy_check.c
@@ -349,6 +349,7 @@ fuzzy_io_callback (int fd, short what, void *arg)
                cmd.value = 0;
                memcpy (cmd.hash, session->h->hash_pipe, sizeof (cmd.hash));
                cmd.cmd = FUZZY_CHECK;
+               cmd.flag = 0;
                if (write (fd, &cmd, sizeof (struct fuzzy_cmd)) == -1) {
                        goto err;
                }
@@ -560,8 +561,7 @@ fuzzy_symbol_callback (struct worker_task *task, void *unused)
                mime_part = cur->data;
                if (mime_part->content->len > 0 && mime_part->checksum != NULL) {
                        /* Construct fake fuzzy hash */
-                       fake_fuzzy = memory_pool_alloc (task->task_pool, sizeof (fuzzy_hash_t));
-                       fake_fuzzy->block_size = 0;
+                       fake_fuzzy = memory_pool_alloc0 (task->task_pool, sizeof (fuzzy_hash_t));
                        g_strlcpy (fake_fuzzy->hash_pipe, mime_part->checksum, sizeof (fake_fuzzy->hash_pipe));
                        register_fuzzy_call (task, fake_fuzzy);
                }
@@ -695,6 +695,7 @@ fuzzy_process_handler (struct controller_session *session, f_str_t * in)
                        if (mime_part->content->len > 0 && mime_part->checksum != NULL) {
                                /* Construct fake fuzzy hash */
                                fake_fuzzy.block_size = 0;
+                               bzero (fake_fuzzy.hash_pipe, sizeof (fake_fuzzy.hash_pipe));
                                g_strlcpy (fake_fuzzy.hash_pipe, mime_part->checksum, sizeof (fake_fuzzy.hash_pipe));
                                if (! register_fuzzy_controller_call (session, task, &fake_fuzzy, cmd, value, flag, saved)) {
                                        /* Cannot write hash */