diff options
| author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2021-09-27 13:56:05 +0100 |
|---|---|---|
| committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2021-09-27 13:56:05 +0100 |
| commit | 7680a0ffd98bc0c3ce58c00d96759c328e96d48f (patch) | |
| tree | 9ea97d5a0d1270d5ba545681fea5b80d83e693f1 | |
| parent | b36eaf826c1f9e587f189c5e9c58966c726a95c9 (diff) | |
| download | rspamd-7680a0ffd98bc0c3ce58c00d96759c328e96d48f.tar.gz rspamd-7680a0ffd98bc0c3ce58c00d96759c328e96d48f.zip | |
[Fix] Add temporary guard to prevent linked list exploitation
| -rw-r--r-- | src/libserver/dkim.c | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/src/libserver/dkim.c b/src/libserver/dkim.c index 762bbaa94..f83c64931 100644 --- a/src/libserver/dkim.c +++ b/src/libserver/dkim.c @@ -2337,6 +2337,12 @@ rspamd_dkim_canonize_header (struct rspamd_dkim_common_ctx *ctx, gint hdr_cnt = 0; bool use_idx = false, is_sign = ctx->is_sign; + /* + * TODO: + * Temporary hack to prevent linked list being misused until refactored + */ + const guint max_list_iters = 1000; + if (count < 0) { use_idx = true; count = -(count); /* use i= in header content as it is arc stuff */ @@ -2356,7 +2362,7 @@ rspamd_dkim_canonize_header (struct rspamd_dkim_common_ctx *ctx, hdr_cnt++; - if (cur == rh) { + if (cur == rh || hdr_cnt >= max_list_iters) { /* Cycle */ break; } @@ -2386,13 +2392,17 @@ rspamd_dkim_canonize_header (struct rspamd_dkim_common_ctx *ctx, } } else { + /* + * This branch is used for ARC headers, and it orders them based on + * i=<number> string and not their real order in the list of headers + */ gchar idx_buf[16]; - gint id_len; + gint id_len, i; id_len = rspamd_snprintf (idx_buf, sizeof (idx_buf), "i=%d;", count); - for (cur = rh->prev; ; cur = cur->prev) { + for (cur = rh->prev, i = 0; i < max_list_iters; cur = cur->prev, i ++) { if (cur->decoded && rspamd_substring_search (cur->decoded, strlen (cur->decoded), idx_buf, id_len) != -1) { |