From: Vsevolod Stakhov Date: Mon, 27 Sep 2021 12:56:05 +0000 (+0100) Subject: [Fix] Add temporary guard to prevent linked list exploitation X-Git-Tag: 3.1~115 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7680a0ffd98bc0c3ce58c00d96759c328e96d48f;p=thirdparty%2Frspamd.git [Fix] Add temporary guard to prevent linked list exploitation --- diff --git a/src/libserver/dkim.c b/src/libserver/dkim.c index 762bbaa94f..f83c649314 100644 --- a/src/libserver/dkim.c +++ b/src/libserver/dkim.c @@ -2337,6 +2337,12 @@ rspamd_dkim_canonize_header (struct rspamd_dkim_common_ctx *ctx, gint hdr_cnt = 0; bool use_idx = false, is_sign = ctx->is_sign; + /* + * TODO: + * Temporary hack to prevent linked list being misused until refactored + */ + const guint max_list_iters = 1000; + if (count < 0) { use_idx = true; count = -(count); /* use i= in header content as it is arc stuff */ @@ -2356,7 +2362,7 @@ rspamd_dkim_canonize_header (struct rspamd_dkim_common_ctx *ctx, hdr_cnt++; - if (cur == rh) { + if (cur == rh || hdr_cnt >= max_list_iters) { /* Cycle */ break; } @@ -2386,13 +2392,17 @@ rspamd_dkim_canonize_header (struct rspamd_dkim_common_ctx *ctx, } } else { + /* + * This branch is used for ARC headers, and it orders them based on + * i= string and not their real order in the list of headers + */ gchar idx_buf[16]; - gint id_len; + gint id_len, i; id_len = rspamd_snprintf (idx_buf, sizeof (idx_buf), "i=%d;", count); - for (cur = rh->prev; ; cur = cur->prev) { + for (cur = rh->prev, i = 0; i < max_list_iters; cur = cur->prev, i ++) { if (cur->decoded && rspamd_substring_search (cur->decoded, strlen (cur->decoded), idx_buf, id_len) != -1) {