From f72a87ca6055ae52a0cc03bce4a9aa420522a8ea Mon Sep 17 00:00:00 2001 From: Janos SUTO Date: Thu, 12 Jul 2018 20:16:08 +0000 Subject: [PATCH] use proper boundary checking for to_domain string Signed-off-by: Janos SUTO --- src/defs.h | 1 + src/parser.c | 10 ++++++++-- src/parser_utils.c | 1 + 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/src/defs.h b/src/defs.h index 64b62813..c2cbd1e1 100644 --- a/src/defs.h +++ b/src/defs.h @@ -207,6 +207,7 @@ struct parser_state { int bodylen; int tolen; + int todomainlen; int journaltolen; int retention; diff --git a/src/parser.c b/src/parser.c index 9f324c80..7a914319 100644 --- a/src/parser.c +++ b/src/parser.c @@ -144,7 +144,7 @@ int parse_line(char *buf, struct parser_state *state, struct session_data *sdata unsigned char b64buffer[MAXBUFSIZE]; char tmpbuf[MAXBUFSIZE]; int n64, writelen, boundary_line=0, result; - unsigned int len; + unsigned int len, domainlen; if(cfg->debug == 1) printf("line: %s", buf); @@ -170,6 +170,7 @@ int parse_line(char *buf, struct parser_state *state, struct session_data *sdata memset(state->b_to, 0, MAXBUFSIZE); state->tolen = 0; memset(state->b_to_domain, 0, SMALLBUFSIZE); + state->todomainlen = 0; clearhash(state->rcpt); clearhash(state->rcpt_domain); @@ -721,7 +722,12 @@ int parse_line(char *buf, struct parser_state *state, struct session_data *sdata if(q){ if(findnode(state->rcpt_domain, q+1) == NULL){ addnode(state->rcpt_domain, q+1); - memcpy(&(state->b_to_domain[strlen(state->b_to_domain)]), q+1, strlen(q+1)); + domainlen = strlen(q+1); + + if(state->todomainlen < SMALLBUFSIZE-domainlen-1){ + memcpy(&(state->b_to_domain[state->todomainlen]), q+1, domainlen); + state->todomainlen += domainlen; + } } } diff --git a/src/parser_utils.c b/src/parser_utils.c index 0b06ee65..d8f75aa5 100644 --- a/src/parser_utils.c +++ b/src/parser_utils.c @@ -96,6 +96,7 @@ void init_state(struct parser_state *state){ memset(state->b_journal_to, 0, MAXBUFSIZE); state->tolen = 0; + state->todomainlen = 0; state->bodylen = 0; state->journaltolen = 0;