1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
Patch cleaned up for Gentoo
- applied to 4.94
- removed unnecessary whitespace changes
From 4e9ed49f8f12eb331b29bd5b6dc3693c520fddc2 Mon Sep 17 00:00:00 2001
From: Jeremy Harris <jgh146exb@wizmail.org>
Date: Wed, 31 Aug 2022 15:37:40 +0100
Subject: [PATCH 1/1] Fix $regex<n> use-after-free. Bug 2915
--- exim-4.94.2/src/exim.c 2021-04-30 14:08:21.000000000 +0200
+++ exim-4.94.2/src/exim.c 2022-10-19 09:15:58.611447982 +0200
@@ -1886,8 +1886,6 @@
regex_must_compile(US"^[A-Za-z0-9_/.-]*$", FALSE, TRUE);
#endif
-for (i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
-
/* If the program is called as "mailq" treat it as equivalent to "exim -bp";
this seems to be a generally accepted convention, since one finds symbolic
links called "mailq" in standard OS configurations. */
@@ -5841,7 +5839,7 @@
deliver_localpart_data = deliver_domain_data =
recipient_data = sender_data = NULL;
acl_var_m = NULL;
- for(int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
+ regex_vars_clear();
store_reset(reset_point);
}
--- exim-4.94.2/src/functions.h 2021-04-30 14:08:21.000000000 +0200
+++ exim-4.94.2/src/functions.h 2022-10-19 09:17:44.882122667 +0200
@@ -417,6 +417,7 @@
#endif
extern BOOL regex_match_and_setup(const pcre *, const uschar *, int, int);
extern const pcre *regex_must_compile(const uschar *, BOOL, BOOL);
+extern void regex_vars_clear(void);
extern void retry_add_item(address_item *, uschar *, int);
extern BOOL retry_check_address(const uschar *, host_item *, uschar *, BOOL,
uschar **, uschar **);
--- exim-4.94.2/src/globals.c 2022-10-19 09:14:19.344751853 +0200
+++ exim-4.94.2/src/globals.c 2022-10-19 09:18:27.675991666 +0200
@@ -1289,7 +1289,7 @@
#endif
const pcre *regex_ismsgid = NULL;
const pcre *regex_smtp_code = NULL;
-uschar *regex_vars[REGEX_VARS];
+uschar *regex_vars[REGEX_VARS] = { 0 };
#ifdef WHITELIST_D_MACROS
const pcre *regex_whitelisted_macro = NULL;
#endif
--- exim-4.94.2/src/regex.c 2021-04-30 14:08:21.000000000 +0200
+++ exim-4.94.2/src/regex.c 2022-10-19 09:35:03.229084750 +0200
@@ -98,7 +106,7 @@
int ret = FAIL;
/* reset expansion variable */
-regex_match_string = NULL;
+regex_vars_clear();
if (!mime_stream) /* We are in the DATA ACL */
{
@@ -166,8 +174,7 @@
int mime_subject_len = 0;
int ret;
-/* reset expansion variable */
-regex_match_string = NULL;
+regex_vars_clear();
/* precompile our regexes */
if (!(re_list_head = compile(*listptr)))
@@ -213,3 +205,12 @@
}
#endif /* WITH_CONTENT_SCAN */
+
+/* reset expansion variables */
+void
+regex_vars_clear(void)
+{
+regex_match_string = NULL;
+for (int i = 0; i < REGEX_VARS; i++) regex_vars[i] = NULL;
+}
+
--- exim-4.94.2/src/smtp_in.c 2021-04-30 14:08:21.000000000 +0200
+++ exim-4.94.2/src/smtp_in.c 2022-10-19 09:15:58.613447975 +0200
@@ -2161,8 +2161,10 @@
#ifdef SUPPORT_I18N
message_smtputf8 = FALSE;
#endif
+regex_vars_clear();
body_linecount = body_zerocount = 0;
+lookup_value = NULL; /* Can be set by ACL */
sender_rate = sender_rate_limit = sender_rate_period = NULL;
ratelimiters_mail = NULL; /* Updated by ratelimit ACL condition */
/* Note that ratelimiters_conn persists across resets. */
|
