From 7680a0ffd98bc0c3ce58c00d96759c328e96d48f Mon Sep 17 00:00:00 2001 From: Vsevolod Stakhov Date: Mon, 27 Sep 2021 13:56:05 +0100 Subject: [PATCH] [Fix] Add temporary guard to prevent linked list exploitation --- src/libserver/dkim.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/src/libserver/dkim.c b/src/libserver/dkim.c index 762bbaa94..f83c64931 100644 --- a/src/libserver/dkim.c +++ b/src/libserver/dkim.c @@ -2337,6 +2337,12 @@ rspamd_dkim_canonize_header (struct rspamd_dkim_common_ctx *ctx, gint hdr_cnt = 0; bool use_idx = false, is_sign = ctx->is_sign; + /* + * TODO: + * Temporary hack to prevent linked list being misused until refactored + */ + const guint max_list_iters = 1000; + if (count < 0) { use_idx = true; count = -(count); /* use i= in header content as it is arc stuff */ @@ -2356,7 +2362,7 @@ rspamd_dkim_canonize_header (struct rspamd_dkim_common_ctx *ctx, hdr_cnt++; - if (cur == rh) { + if (cur == rh || hdr_cnt >= max_list_iters) { /* Cycle */ break; } @@ -2386,13 +2392,17 @@ rspamd_dkim_canonize_header (struct rspamd_dkim_common_ctx *ctx, } } else { + /* + * This branch is used for ARC headers, and it orders them based on + * i= string and not their real order in the list of headers + */ gchar idx_buf[16]; - gint id_len; + gint id_len, i; id_len = rspamd_snprintf (idx_buf, sizeof (idx_buf), "i=%d;", count); - for (cur = rh->prev; ; cur = cur->prev) { + for (cur = rh->prev, i = 0; i < max_list_iters; cur = cur->prev, i ++) { if (cur->decoded && rspamd_substring_search (cur->decoded, strlen (cur->decoded), idx_buf, id_len) != -1) { -- 2.39.5