Bump PKGREVISION.

A malformed MIME structure with many parts can cause sendmail to crash while trying to send a mail due to a stack overflow, e.g., if the stack size is limited (ulimit -s). This happens because the recursion of the function mime8to7() was not restricted. The function is called for MIME 8 to 7 bit conversion and also to enforce MaxMimeHeaderLength. To work around this problem, recursive calls are limited to a depth of MAXMIMENESTING (20); message content after this limit is treated as opaque and is not checked further.
2006-06-14 18:53:53 +00:00 · 2006-06-14 18:53:53 +00:00 · 4c9325d865
commit 4c9325d865
parent b17fa2e470
12 changed files with 322 additions and 6 deletions
--- a/mail/sendmail/Makefile
+++ b/mail/sendmail/Makefile
@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.89 2006/06/07 14:48:28 joerg Exp $
+# $NetBSD: Makefile,v 1.90 2006/06/14 18:53:54 adrianp Exp $

 .include "../../mail/sendmail/Makefile.common"

 PKGNAME=	sendmail-${DIST_VERS}
-PKGREVISION=	2
+PKGREVISION=	3
 COMMENT=	The well known Mail Transport Agent

 CONFLICTS+=	courier-mta-[0-9]* fastforward>=0.51nb2 postfix-[0-9]*
--- a/mail/sendmail/distinfo
+++ b/mail/sendmail/distinfo
@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.29 2006/06/07 14:48:28 joerg Exp $
+$NetBSD: distinfo,v 1.30 2006/06/14 18:53:54 adrianp Exp $

 SHA1 (sendmail.8.13.6.tar.gz) = 6c35f4780bd9fc5f8982977ad699752e2ccb26d0
 RMD160 (sendmail.8.13.6.tar.gz) = cbb0649b5dec8e4b4850c76ad4a132a15335df3b
@ -12,3 +12,7 @@ SHA1 (patch-af) = d26481845328adad6d46fdf797785ec2ad003e28
 SHA1 (patch-ag) = 672c3e8a0c897f2c721d45393d85d4ea819d55a6
 SHA1 (patch-ah) = e6be09008b9230ffdd1560aaacbdbb2ee4fb8028
 SHA1 (patch-ai) = 8ade5888074ad9a328f87d66836c04eacf7785d5
+SHA1 (patch-aj) = 5dbceffb6397e28beb0c9350398238877928ead8
+SHA1 (patch-ak) = 0688b603018fc58510174a012ca7d2425665a7cd
+SHA1 (patch-al) = 9527aa7046a6b4be63c12108b5e03d6b13009d2d
+SHA1 (patch-am) = 6a7e14410ddc619a08142b90bd15f55eb23d32b8
--- a/mail/sendmail/patches/patch-aj
+++ b/mail/sendmail/patches/patch-aj
@ -0,0 +1,22 @@
+$NetBSD: patch-aj,v 1.3 2006/06/14 18:53:53 adrianp Exp $
+
+--- sendmail/deliver.c.orig	2006-03-02 01:37:39.000000000 +0000
+++ sendmail/deliver.c
+@@ -4623,7 +4623,7 @@ putbody(mci, e, separator)
+ 		/* now do the hard work */
+ 		boundaries[0] = NULL;
+ 		mci->mci_flags |= MCIF_INHEADER;
+-		if (mime8to7(mci, e->e_header, e, boundaries, M87F_OUTER) ==
+		if (mime8to7(mci, e->e_header, e, boundaries, M87F_OUTER, 0) ==
+ 								SM_IO_EOF)
+ 			goto writeerr;
+ 	}
+@@ -4654,7 +4654,7 @@ putbody(mci, e, separator)
+ 			SuprErrs = true;
+ 
+ 		if (mime8to7(mci, e->e_header, e, boundaries,
+-				M87F_OUTER|M87F_NO8TO7) == SM_IO_EOF)
+				M87F_OUTER|M87F_NO8TO7, 0) == SM_IO_EOF)
+ 			goto writeerr;
+ 
+ 		/* restore SuprErrs */
--- a/mail/sendmail/patches/patch-ak
+++ b/mail/sendmail/patches/patch-ak
@ -0,0 +1,103 @@
+$NetBSD: patch-ak,v 1.3 2006/06/14 18:53:53 adrianp Exp $
+
+--- sendmail/mime.c.orig	2006-03-01 18:07:45.000000000 +0000
+++ sendmail/mime.c
+@@ -80,6 +80,7 @@ static bool	MapNLtoCRLF;
+ **		boundaries -- the currently pending message boundaries.
+ **			NULL if we are processing the outer portion.
+ **		flags -- to tweak processing.
+**		level -- recursion level.
+ **
+ **	Returns:
+ **		An indicator of what terminated the message part:
+@@ -96,12 +97,13 @@ struct args
+ };
+ 
+ int
+-mime8to7(mci, header, e, boundaries, flags)
+mime8to7(mci, header, e, boundaries, flags, level)
+ 	register MCI *mci;
+ 	HDR *header;
+ 	register ENVELOPE *e;
+ 	char **boundaries;
+ 	int flags;
+	int level;
+ {
+ 	register char *p;
+ 	int linelen;
+@@ -122,6 +124,18 @@ mime8to7(mci, header, e, boundaries, fla
+ 	char pvpbuf[MAXLINE];
+ 	extern unsigned char MimeTokenTab[256];
+ 
+	if (level > MAXMIMENESTING)
+	{
+		if (!bitset(EF_TOODEEP, e->e_flags))
+		{
+			if (tTd(43, 4))
+				sm_dprintf("mime8to7: too deep, level=%d\n",
+					   level);
+			usrerr("mime8to7: recursion level %d exceeded",
+				level);
+			e->e_flags |= EF_DONT_MIME|EF_TOODEEP;
+		}
+	}
+ 	if (tTd(43, 1))
+ 	{
+ 		sm_dprintf("mime8to7: flags = %x, boundaries =", flags);
+@@ -242,7 +256,9 @@ mime8to7(mci, header, e, boundaries, fla
+ 	*/
+ 
+ 	if (sm_strcasecmp(type, "multipart") == 0 &&
+-	    (!bitset(M87F_NO8BIT, flags) || bitset(M87F_NO8TO7, flags)))
+	    (!bitset(M87F_NO8BIT, flags) || bitset(M87F_NO8TO7, flags)) &&
+	    !bitset(EF_TOODEEP, e->e_flags)
+	   )
+ 	{
+ 
+ 		if (sm_strcasecmp(subtype, "digest") == 0)
+@@ -286,10 +302,13 @@ mime8to7(mci, header, e, boundaries, fla
+ 		}
+ 		if (i >= MAXMIMENESTING)
+ 		{
+-			usrerr("mime8to7: multipart nesting boundary too deep");
+			if (tTd(43, 4))
+				sm_dprintf("mime8to7: too deep, i=%d\n", i);
+			if (!bitset(EF_TOODEEP, e->e_flags))
+				usrerr("mime8to7: multipart nesting boundary too deep");
+ 
+ 			/* avoid bounce loops */
+-			e->e_flags |= EF_DONT_MIME;
+			e->e_flags |= EF_DONT_MIME|EF_TOODEEP;
+ 		}
+ 		else
+ 		{
+@@ -333,7 +352,8 @@ mime8to7(mci, header, e, boundaries, fla
+ 				goto writeerr;
+ 			if (tTd(43, 101))
+ 				putline("+++after putheader", mci);
+-			bt = mime8to7(mci, hdr, e, boundaries, flags);
+			bt = mime8to7(mci, hdr, e, boundaries, flags,
+				      level + 1);
+ 			if (bt == SM_IO_EOF)
+ 				goto writeerr;
+ 		}
+@@ -374,7 +394,8 @@ mime8to7(mci, header, e, boundaries, fla
+ 
+ 	if (sm_strcasecmp(type, "message") == 0)
+ 	{
+-		if (!wordinclass(subtype, 's'))
+		if (!wordinclass(subtype, 's') ||
+		    bitset(EF_TOODEEP, e->e_flags))
+ 		{
+ 			flags |= M87F_NO8BIT;
+ 		}
+@@ -397,7 +418,8 @@ mime8to7(mci, header, e, boundaries, fla
+ 			    !bitset(M87F_NO8TO7, flags) &&
+ 			    !putline("MIME-Version: 1.0", mci))
+ 				goto writeerr;
+-			bt = mime8to7(mci, hdr, e, boundaries, flags);
+			bt = mime8to7(mci, hdr, e, boundaries, flags,
+				      level + 1);
+ 			mci->mci_flags &= ~MCIF_INMIME;
+ 			return bt;
+ 		}
--- a/mail/sendmail/patches/patch-al
+++ b/mail/sendmail/patches/patch-al
@ -0,0 +1,21 @@
+$NetBSD: patch-al,v 1.3 2006/06/14 18:53:53 adrianp Exp $
+
+--- sendmail/sendmail.h.orig	2006-02-27 17:49:09.000000000 +0000
+++ sendmail/sendmail.h
+@@ -942,6 +942,7 @@ struct envelope
+ #define EF_TOOBIG	0x02000000L	/* message is too big */
+ #define EF_SPLIT	0x04000000L	/* envelope has been split */
+ #define EF_UNSAFE	0x08000000L	/* unsafe: read from untrusted source */
+#define EF_TOODEEP	0x10000000L	/* message is nested too deep */
+ 
+ #define DLVR_NOTIFY	0x01
+ #define DLVR_RETURN	0x02
+@@ -1655,7 +1656,7 @@ EXTERN unsigned long	PrivacyFlags;	/* pr
+ 
+ /* functions */
+ extern bool	mime7to8 __P((MCI *, HDR *, ENVELOPE *));
+-extern int	mime8to7 __P((MCI *, HDR *, ENVELOPE *, char **, int));
+extern int	mime8to7 __P((MCI *, HDR *, ENVELOPE *, char **, int, int));
+ 
+ /*
+ **  Flags passed to returntosender.
--- a/mail/sendmail/patches/patch-am
+++ b/mail/sendmail/patches/patch-am
@ -0,0 +1,8 @@
+$NetBSD: patch-am,v 1.1 2006/06/14 18:53:53 adrianp Exp $
+
+--- sendmail/version.c.orig	2006-03-08 19:21:21.000000000 +0000
+++ sendmail/version.c
+@@ -17,2 +17,2 @@ SM_RCSID("@(#)$Id: version.c,v 8.160 200
+ 
+-char	Version[] = "8.13.6";
+char	Version[] = "8.13.6.20060614";
--- a/mail/sendmail812/Makefile
+++ b/mail/sendmail812/Makefile
@ -1,10 +1,10 @@
-# $NetBSD: Makefile,v 1.11 2006/06/06 21:55:49 adrianp Exp $
+# $NetBSD: Makefile,v 1.12 2006/06/14 18:57:34 adrianp Exp $

 .include "options.mk"
 .include "../../mail/sendmail812/Makefile.common"

 PKGNAME=	sendmail-${DIST_VERS}
-PKGREVISION=	2
+PKGREVISION=	3
 COMMENT=	The well known Mail Transport Agent
 HAS_SIG=	yes

--- a/mail/sendmail812/distinfo
+++ b/mail/sendmail812/distinfo
@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.4 2006/03/22 21:19:06 tv Exp $
+$NetBSD: distinfo,v 1.5 2006/06/14 18:57:34 adrianp Exp $

 SHA1 (sendmail.8.12.11.tar.gz) = ce1ba0e50740c548f8555f1a905d8514e6637f95
 RMD160 (sendmail.8.12.11.tar.gz) = a80ceccbe3425ea01ce6cb89f2226f83b3562b64
@ -13,3 +13,7 @@ SHA1 (patch-ad) = 7232cc7ceb46a2dbf631d61185e4c6ca4af18a13
 SHA1 (patch-ae) = ae06caa125fe4d4fc85123dc0a5d0016cd099ebd
 SHA1 (patch-af) = d26481845328adad6d46fdf797785ec2ad003e28
 SHA1 (patch-ag) = 4e84e709338eecc0dc14a6df42d8071fee1938a3
+SHA1 (patch-ah) = b876e92147bce47fee5f77106c2a1b281fac743f
+SHA1 (patch-ai) = d17bc0a551fa5efd59f4822ca59049e166e59d86
+SHA1 (patch-aj) = 6901b3efacf02ba5f71fbfb6056b1eced9d4c037
+SHA1 (patch-ak) = 2668680ec507ce4b59acae1a985e3af105c51816
--- a/mail/sendmail812/patches/patch-ah
+++ b/mail/sendmail812/patches/patch-ah
@ -0,0 +1,22 @@
+$NetBSD: patch-ah,v 1.1 2006/06/14 18:57:34 adrianp Exp $
+
+--- sendmail/deliver.c.orig	2006-06-13 21:35:58.000000000 +0100
+++ sendmail/deliver.c
+@@ -4566,7 +4566,7 @@ putbody(mci, e, separator)
+ 		/* now do the hard work */
+ 		boundaries[0] = NULL;
+ 		mci->mci_flags |= MCIF_INHEADER;
+-		if (mime8to7(mci, e->e_header, e, boundaries, M87F_OUTER) ==
+		if (mime8to7(mci, e->e_header, e, boundaries, M87F_OUTER, 0) ==
+ 								SM_IO_EOF)
+ 			goto writeerr;
+ 	}
+@@ -4597,7 +4597,7 @@ putbody(mci, e, separator)
+ 			SuprErrs = true;
+ 
+ 		if (mime8to7(mci, e->e_header, e, boundaries,
+-				M87F_OUTER|M87F_NO8TO7) == SM_IO_EOF)
+				M87F_OUTER|M87F_NO8TO7, 0) == SM_IO_EOF)
+ 			goto writeerr;
+ 
+ 		/* restore SuprErrs */
--- a/mail/sendmail812/patches/patch-ai
+++ b/mail/sendmail812/patches/patch-ai
@ -0,0 +1,103 @@
+$NetBSD: patch-ai,v 1.1 2006/06/14 18:57:34 adrianp Exp $
+
+--- sendmail/mime.c.orig	2006-06-13 21:35:58.000000000 +0100
+++ sendmail/mime.c
+@@ -80,6 +80,7 @@ static bool	MapNLtoCRLF;
+ **		boundaries -- the currently pending message boundaries.
+ **			NULL if we are processing the outer portion.
+ **		flags -- to tweak processing.
+**		level -- recursion level.
+ **
+ **	Returns:
+ **		An indicator of what terminated the message part:
+@@ -96,12 +97,13 @@ struct args
+ };
+ 
+ int
+-mime8to7(mci, header, e, boundaries, flags)
+mime8to7(mci, header, e, boundaries, flags, level)
+ 	register MCI *mci;
+ 	HDR *header;
+ 	register ENVELOPE *e;
+ 	char **boundaries;
+ 	int flags;
+	int level;
+ {
+ 	register char *p;
+ 	int linelen;
+@@ -122,6 +124,18 @@ mime8to7(mci, header, e, boundaries, fla
+ 	char pvpbuf[MAXLINE];
+ 	extern unsigned char MimeTokenTab[256];
+ 
+	if (level > MAXMIMENESTING)
+	{
+		if (!bitset(EF_TOODEEP, e->e_flags))
+		{
+			if (tTd(43, 4))
+				sm_dprintf("mime8to7: too deep, level=%d\n",
+					   level);
+			usrerr("mime8to7: recursion level %d exceeded",
+				level);
+			e->e_flags |= EF_DONT_MIME|EF_TOODEEP;
+		}
+	}
+ 	if (tTd(43, 1))
+ 	{
+ 		sm_dprintf("mime8to7: flags = %x, boundaries =", flags);
+@@ -242,7 +256,9 @@ mime8to7(mci, header, e, boundaries, fla
+ 	*/
+ 
+ 	if (sm_strcasecmp(type, "multipart") == 0 &&
+-	    (!bitset(M87F_NO8BIT, flags) || bitset(M87F_NO8TO7, flags)))
+	    (!bitset(M87F_NO8BIT, flags) || bitset(M87F_NO8TO7, flags)) &&
+	    !bitset(EF_TOODEEP, e->e_flags)
+	   )
+ 	{
+ 
+ 		if (sm_strcasecmp(subtype, "digest") == 0)
+@@ -286,10 +302,13 @@ mime8to7(mci, header, e, boundaries, fla
+ 		}
+ 		if (i >= MAXMIMENESTING)
+ 		{
+-			usrerr("mime8to7: multipart nesting boundary too deep");
+			if (tTd(43, 4))
+				sm_dprintf("mime8to7: too deep, i=%d\n", i);
+			if (!bitset(EF_TOODEEP, e->e_flags))
+				usrerr("mime8to7: multipart nesting boundary too deep");
+ 
+ 			/* avoid bounce loops */
+-			e->e_flags |= EF_DONT_MIME;
+			e->e_flags |= EF_DONT_MIME|EF_TOODEEP;
+ 		}
+ 		else
+ 		{
+@@ -333,7 +352,8 @@ mime8to7(mci, header, e, boundaries, fla
+ 				goto writeerr;
+ 			if (tTd(43, 101))
+ 				putline("+++after putheader", mci);
+-			bt = mime8to7(mci, hdr, e, boundaries, flags);
+			bt = mime8to7(mci, hdr, e, boundaries, flags,
+				      level + 1);
+ 			if (bt == SM_IO_EOF)
+ 				goto writeerr;
+ 		}
+@@ -374,7 +394,8 @@ mime8to7(mci, header, e, boundaries, fla
+ 
+ 	if (sm_strcasecmp(type, "message") == 0)
+ 	{
+-		if (!wordinclass(subtype, 's'))
+		if (!wordinclass(subtype, 's') ||
+		    bitset(EF_TOODEEP, e->e_flags))
+ 		{
+ 			flags |= M87F_NO8BIT;
+ 		}
+@@ -397,7 +418,8 @@ mime8to7(mci, header, e, boundaries, fla
+ 			    !bitset(M87F_NO8TO7, flags) &&
+ 			    !putline("MIME-Version: 1.0", mci))
+ 				goto writeerr;
+-			bt = mime8to7(mci, hdr, e, boundaries, flags);
+			bt = mime8to7(mci, hdr, e, boundaries, flags,
+				      level + 1);
+ 			mci->mci_flags &= ~MCIF_INMIME;
+ 			return bt;
+ 		}
--- a/mail/sendmail812/patches/patch-aj
+++ b/mail/sendmail812/patches/patch-aj
@ -0,0 +1,21 @@
+$NetBSD: patch-aj,v 1.1 2006/06/14 18:57:34 adrianp Exp $
+
+--- sendmail/sendmail.h.orig	2006-06-13 21:35:58.000000000 +0100
+++ sendmail/sendmail.h
+@@ -942,6 +942,7 @@ struct envelope
+ #define EF_TOOBIG	0x02000000L	/* message is too big */
+ #define EF_SPLIT	0x04000000L	/* envelope has been split */
+ #define EF_UNSAFE	0x08000000L	/* unsafe: read from untrusted source */
+#define EF_TOODEEP	0x10000000L	/* message is nested too deep */
+ 
+ #define DLVR_NOTIFY	0x01
+ #define DLVR_RETURN	0x02
+@@ -1592,7 +1593,7 @@ EXTERN unsigned long	PrivacyFlags;	/* pr
+ 
+ /* functions */
+ extern bool	mime7to8 __P((MCI *, HDR *, ENVELOPE *));
+-extern int	mime8to7 __P((MCI *, HDR *, ENVELOPE *, char **, int));
+extern int	mime8to7 __P((MCI *, HDR *, ENVELOPE *, char **, int, int));
+ 
+ /*
+ **  Flags passed to returntosender.
--- a/mail/sendmail812/patches/patch-ak
+++ b/mail/sendmail812/patches/patch-ak
@ -0,0 +1,8 @@
+$NetBSD: patch-ak,v 1.1 2006/06/14 18:57:34 adrianp Exp $
+
+--- sendmail/version.c.orig	2006-06-14 19:54:25.000000000 +0100
+++ sendmail/version.c
+@@ -17,2 +17,2 @@ SM_RCSID("@(#)$Id: version.c,v 8.104.2.2
+ 
+-char	Version[] = "8.12.11.20060308";
+char	Version[] = "8.12.11.20060614";