Long headers cause sendmail loop (5.59, 5.61) +FIX
Jeff Forys
forys at snake.utah.edu
Sat Feb 18 12:38:29 AEST 1989
Steve Campbell (steve at eleazar.dartmouth.edu) writes:
> Subject: Long headers cause sendmail loop (5.59, 5.61) +FIX
> Index: usr.lib/sendmail/src/util.c 4.3BSD
>
> Description:
> Sendmail will loop in sfgets if you feed it a message with a
> header (often the To:) that exceeds sendmail's 2500 byte
> MAXFIELD limit. The reason is that collect() calls sfgets()
> (at line 124 in collect.c) with a length argument that varies,
> and when the header exceeds 2500 bytes, that argument goes
> negative, causing a loop in sfgets.
> Repeat-By:
> Feed sendmail a message with enough recipients to exceed 2500
> bytes. This can happen when the original recipients' addresses
> are "user" but get rewritten to "user at domain".
> Fix:
> The complete fix is to make collect() more intelligent about
> handling long headers. Would someone like to step forward?
Okay... at the end of this article is a new version of "collect.c" which
fixes:
- The long header problem.
- The getc()-can-timeout problem (brought to my attention by
Chris Torek when I fixed the long header problem).
- If "From " line (or first line) > MAXFIELD, we may drop out
of the header parsing loop prematurely.
- If the first line in the body of a message is longer than
MAXFIELD, it will be truncated for no reason.
This code has been well tested, and we've been running it here for a
couple weeks. The main change is to use a double buffering scheme
in header collection. One buffer holds the current header being
collected, while the other does further sfgets() for continuation
lines until a new header (or end of header) is detected.
Oh, also here's is a quick patch to "sendmail/src/headers.c" which
solves another serious buffer overrun -- I once noticed almost 4k
being stuffed into a 1k buffer (we have MAXFIELD set to 4k here).
*** /tmp/,RCSt1027960 Fri Feb 17 19:33:41 1989
--- headers.c Mon Feb 13 14:28:17 1989
***************
*** 20,25 ****
--- 20,26 ----
static char sccsid[] = "@(#)headers.c 5.13 (Berkeley) 1/1/89";
#endif /* not lint */
+ # include <sys/param.h>
# include <errno.h>
# include "sendmail.h"
***************
*** 621,631 ****
register MAILER *m;
register ENVELOPE *e;
{
! char buf[BUFSIZ];
register HDR *h;
extern char *arpadate();
extern char *capitalize();
! char obuf[MAXLINE];
for (h = e->e_header; h != NULL; h = h->h_link)
{
--- 622,632 ----
register MAILER *m;
register ENVELOPE *e;
{
! char buf[MAX(MAXFIELD,BUFSIZ)];
register HDR *h;
extern char *arpadate();
extern char *capitalize();
! char obuf[MAX(MAXFIELD,MAXLINE)];
for (h = e->e_header; h != NULL; h = h->h_link)
{
Jeff Forys
/*
* Copyright (c) 1983 Eric P. Allman
* Copyright (c) 1988 Regents of the University of California.
* All rights reserved.
*
* Redistribution and use in source and binary forms are permitted
* provided that the above copyright notice and this paragraph are
* duplicated in all such forms and that any documentation,
* advertising materials, and other materials related to such
* distribution and use acknowledge that the software was developed
* by the University of California, Berkeley. The name of the
* University may not be used to endorse or promote products derived
* from this software without specific prior written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
#ifndef lint
static char sccsid[] = "@(#)collect.c 5.7 (Berkeley) 1/1/89";
#endif /* not lint */
# include <errno.h>
# include "sendmail.h"
/*
** COLLECT -- read & parse message header & make temp file.
**
** Creates a temporary file name and copies the standard
** input to that file. Leading UNIX-style "From" lines are
** stripped off (after important information is extracted).
**
** Parameters:
** sayok -- if set, give an ARPANET style message
** to say we are ready to collect input.
**
** Returns:
** none.
**
** Side Effects:
** Temp file is created and filled.
** The from person may be set.
*/
collect(sayok)
bool sayok;
{
register FILE *tf;
char buf[MAXFIELD], buf2[MAXFIELD];
register char *workbuf, *freebuf;
register int workbuflen;
extern char *hvalue();
extern bool isheader(), flusheol();
/*
** Create the temp file name and create the file.
*/
CurEnv->e_df = newstr(queuename(CurEnv, 'd'));
if ((tf = dfopen(CurEnv->e_df, "w")) == NULL)
{
syserr("Cannot create %s", CurEnv->e_df);
NoReturn = TRUE;
finis();
}
(void) chmod(CurEnv->e_df, FileMode);
/*
** Tell ARPANET to go ahead.
*/
if (sayok)
message("354", "Enter mail, end with \".\" on a line by itself");
/*
** Try to read a UNIX-style From line
*/
if (sfgets(buf, MAXFIELD, InChannel) == NULL)
goto readerr;
fixcrlf(buf, FALSE);
# ifndef NOTUNIX
if (!SaveFrom && strncmp(buf, "From ", 5) == 0)
{
if (!flusheol(buf, InChannel))
goto readerr;
eatfrom(buf);
if (sfgets(buf, MAXFIELD, InChannel) == NULL)
goto readerr;
fixcrlf(buf, FALSE);
}
# endif NOTUNIX
/*
** Copy InChannel to temp file & do message editing.
** To keep certain mailers from getting confused,
** and to keep the output clean, lines that look
** like UNIX "From" lines are deleted in the header.
*/
workbuf = buf; /* `workbuf' contains a header field */
freebuf = buf2; /* `freebuf' can be used for read-ahead */
for (;;)
{
/* first, see if the header is over */
if (!isheader(workbuf))
{
fixcrlf(workbuf, TRUE);
break;
}
/* if the line is too long, throw the rest away */
if (!flusheol(workbuf, InChannel))
goto readerr;
/* it's okay to toss '\n' now (flusheol() needed it) */
fixcrlf(workbuf, TRUE);
workbuflen = strlen(workbuf);
/* get the rest of this field */
for (;;)
{
if (sfgets(freebuf, MAXFIELD, InChannel) == NULL)
goto readerr;
/* is this a continuation line? */
if (*freebuf != ' ' && *freebuf != '\t')
break;
if (!flusheol(freebuf, InChannel))
goto readerr;
/* yes; append line to `workbuf' if there's room */
if (workbuflen < MAXFIELD-3)
{
register char *p = workbuf + workbuflen;
register char *q = freebuf;
/* we have room for more of this field */
fixcrlf(freebuf, TRUE);
*p++ = '\n'; workbuflen++;
while(*q != '\0' && workbuflen < MAXFIELD-1)
{
*p++ = *q++;
workbuflen++;
}
*p = '\0';
}
}
CurEnv->e_msgsize += workbuflen;
/*
** The working buffer now becomes the free buffer, since
** the free buffer contains a new header field.
**
** This is premature, since we still havent called
** chompheader() to process the field we just created
** (so the call to chompheader() will use `freebuf').
** This convolution is necessary so that if we break out
** of the loop due to H_EOH, `workbuf' will always be
** the next unprocessed buffer.
*/
{
register char *tmp = workbuf;
workbuf = freebuf;
freebuf = tmp;
}
/*
** Snarf header away.
*/
if (bitset(H_EOH, chompheader(freebuf, FALSE)))
break;
}
if (tTd(30, 1))
printf("EOH\n");
if (*workbuf == '\0')
{
/* throw away a blank line */
if (sfgets(buf, MAXFIELD, InChannel) == NULL)
goto readerr;
}
else if (workbuf == buf2) /* guarantee `buf' contains data */
(void) strcpy(buf, buf2);
/*
** Collect the body of the message.
*/
do
{
register char *bp = buf;
fixcrlf(buf, TRUE);
/* check for end-of-message */
if (!IgnrDot && buf[0] == '.' && (buf[1] == '\n' || buf[1] == '\0'))
break;
/* check for transparent dot */
if (OpMode == MD_SMTP && !IgnrDot && bp[0] == '.' && bp[1] == '.')
bp++;
/*
** Figure message length, output the line to the temp
** file, and insert a newline if missing.
*/
CurEnv->e_msgsize += strlen(bp) + 1;
fputs(bp, tf);
fputs("\n", tf);
if (ferror(tf))
tferror(tf);
} while (sfgets(buf, MAXFIELD, InChannel) != NULL);
readerr:
if (fflush(tf) != 0)
tferror(tf);
(void) fclose(tf);
/* An EOF when running SMTP is an error */
if ((feof(InChannel) || ferror(InChannel)) && OpMode == MD_SMTP)
{
# ifdef LOG
if (RealHostName != NULL && LogLevel > 0)
syslog(LOG_NOTICE,
"collect: unexpected close on connection from %s: %m\n",
CurEnv->e_from.q_paddr, RealHostName);
# endif
usrerr("collect: unexpected close, from=%s", CurEnv->e_from.q_paddr);
/* don't return an error indication */
CurEnv->e_to = NULL;
CurEnv->e_flags &= ~EF_FATALERRS;
/* and don't try to deliver the partial message either */
finis();
}
/*
** Find out some information from the headers.
** Examples are who is the from person & the date.
*/
eatheader(CurEnv);
/*
** Add an Apparently-To: line if we have no recipient lines.
*/
if (hvalue("to") == NULL && hvalue("cc") == NULL &&
hvalue("bcc") == NULL && hvalue("apparently-to") == NULL)
{
register ADDRESS *q;
/* create an Apparently-To: field */
/* that or reject the message.... */
for (q = CurEnv->e_sendqueue; q != NULL; q = q->q_next)
{
if (q->q_alias != NULL)
continue;
if (tTd(30, 3))
printf("Adding Apparently-To: %s\n", q->q_paddr);
addheader("apparently-to", q->q_paddr, CurEnv);
}
}
if ((CurEnv->e_dfp = fopen(CurEnv->e_df, "r")) == NULL)
syserr("Cannot reopen %s", CurEnv->e_df);
}
/*
** FLUSHEOL -- if not at EOL, throw away rest of input line.
**
** Parameters:
** buf -- last line read in (checked for '\n'),
** fp -- file to be read from.
**
** Returns:
** FALSE on error from sfgets(), TRUE otherwise.
**
** Side Effects:
** none.
*/
bool
flusheol(buf, fp)
char *buf;
FILE *fp;
{
char junkbuf[MAXLINE], *sfgets();
register char *p = buf;
while (index(p, '\n') == NULL) {
if (sfgets(junkbuf,MAXLINE,fp) == NULL)
return(FALSE);
p = junkbuf;
}
return(TRUE);
}
/*
** TFERROR -- signal error on writing the temporary file.
**
** Parameters:
** tf -- the file pointer for the temporary file.
**
** Returns:
** none.
**
** Side Effects:
** Gives an error message.
** Arranges for following output to go elsewhere.
*/
tferror(tf)
FILE *tf;
{
if (errno == ENOSPC)
{
(void) freopen(CurEnv->e_df, "w", tf);
fputs("\nMAIL DELETED BECAUSE OF LACK OF DISK SPACE\n\n", tf);
usrerr("452 Out of disk space for temp file");
}
else
syserr("collect: Cannot write %s", CurEnv->e_df);
(void) freopen("/dev/null", "w", tf);
}
/*
** EATFROM -- chew up a UNIX style from line and process
**
** This does indeed make some assumptions about the format
** of UNIX messages.
**
** Parameters:
** fm -- the from line.
**
** Returns:
** none.
**
** Side Effects:
** extracts what information it can from the header,
** such as the date.
*/
# ifndef NOTUNIX
char *DowList[] =
{
"Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat", NULL
};
char *MonthList[] =
{
"Jan", "Feb", "Mar", "Apr", "May", "Jun",
"Jul", "Aug", "Sep", "Oct", "Nov", "Dec",
NULL
};
eatfrom(fm)
char *fm;
{
register char *p;
register char **dt;
if (tTd(30, 2))
printf("eatfrom(%s)\n", fm);
/* find the date part */
p = fm;
while (*p != '\0')
{
/* skip a word */
while (*p != '\0' && *p != ' ')
p++;
while (*p == ' ')
p++;
if (!isupper(*p) || p[3] != ' ' || p[13] != ':' || p[16] != ':')
continue;
/* we have a possible date */
for (dt = DowList; *dt != NULL; dt++)
if (strncmp(*dt, p, 3) == 0)
break;
if (*dt == NULL)
continue;
for (dt = MonthList; *dt != NULL; dt++)
if (strncmp(*dt, &p[4], 3) == 0)
break;
if (*dt != NULL)
break;
}
if (*p != NULL)
{
char *q;
extern char *arpadate();
/* we have found a date */
q = xalloc(25);
(void) strncpy(q, p, 25);
q[24] = '\0';
define('d', q, CurEnv);
q = arpadate(q);
define('a', newstr(q), CurEnv);
}
}
# endif NOTUNIX
---
Jeff Forys @ Unv of Utah/Salt Lake, Comp Sci Dept. (801-581-4280)
forys at cs.utah.edu -or- ..!{boulder,decvax,nbires}!utah-cs!forys
More information about the Comp.bugs.4bsd.ucb-fixes
mailing list