|
 |
4b1875e |
Author: Andreas Beckmann <anbe@debian.org>
|
|
|
4b1875e |
Description: fix FTBFS with -Werror=format-security
|
|
|
4b1875e |
If a message string from an (untrusted) external source may start with a
|
|
|
4b1875e |
smtp status code ("123 4.5.6 Foobar"), we cannot sanitize this via
|
|
|
4b1875e |
("%s", string) since the status code is expected as part of the format
|
|
|
4b1875e |
string. Therefore verify that the message string contains no formatting
|
|
|
4b1875e |
codes before passing it as the format string. Add a dummy argument to
|
|
|
4b1875e |
suppress the "format not a string literal and no format arguments" error
|
|
|
4b1875e |
in this case.
|
|
|
4b1875e |
|
|
|
64c461c |
--- a/sendmail/envelope.c
|
|
|
64c461c |
+++ b/sendmail/envelope.c
|
|
|
64c461c |
@@ -323,7 +323,7 @@ dropenvelope(e, fulldrop, split)
|
|
|
64c461c |
|
|
|
64c461c |
/* don't free, allocated from e_rpool */
|
|
|
64c461c |
e->e_message = sm_rpool_strdup_x(e->e_rpool, buf);
|
|
|
64c461c |
- message(buf);
|
|
|
64c461c |
+ message("%s", buf);
|
|
|
64c461c |
e->e_flags |= EF_CLRQUEUE;
|
|
|
64c461c |
}
|
|
|
64c461c |
if (msg_timeout == MSG_NOT_BY)
|
|
|
64c461c |
@@ -420,7 +420,7 @@ dropenvelope(e, fulldrop, split)
|
|
|
64c461c |
/* don't free, allocated from e_rpool */
|
|
|
64c461c |
e->e_message = sm_rpool_strdup_x(e->e_rpool,
|
|
|
64c461c |
buf);
|
|
|
64c461c |
- message(buf);
|
|
|
64c461c |
+ message("%s", buf);
|
|
|
64c461c |
e->e_flags |= EF_WARNING;
|
|
|
64c461c |
}
|
|
|
64c461c |
if (msg_timeout == MSG_WARN_BY)
|
|
|
64c461c |
--- a/sendmail/parseaddr.c
|
|
|
64c461c |
+++ b/sendmail/parseaddr.c
|
|
|
4b1875e |
@@ -218,7 +218,7 @@ parseaddr(addr, a, flags, delim, delimpt
|
|
|
64c461c |
msg = "Deferring message until queue run";
|
|
|
64c461c |
if (tTd(20, 1))
|
|
|
64c461c |
sm_dprintf("parseaddr: queueing message\n");
|
|
|
64c461c |
- message(msg);
|
|
|
64c461c |
+ message("%s", msg);
|
|
|
64c461c |
if (e->e_message == NULL && e->e_sendmode != SM_DEFER)
|
|
|
64c461c |
e->e_message = sm_rpool_strdup_x(e->e_rpool, msg);
|
|
|
64c461c |
a->q_state = QS_QUEUEUP;
|
|
|
64c461c |
--- a/sendmail/srvrsmtp.c
|
|
|
64c461c |
+++ b/sendmail/srvrsmtp.c
|
|
|
4b1875e |
@@ -122,6 +122,26 @@ extern ENVELOPE BlankEnvelope;
|
|
|
4b1875e |
#define SKIP_SPACE(s) while (isascii(*s) && isspace(*s)) \
|
|
|
4b1875e |
(s)++
|
|
|
4b1875e |
|
|
|
4b1875e |
+static inline void
|
|
|
4b1875e |
+message1(fmt)
|
|
|
4b1875e |
+ char *fmt;
|
|
|
4b1875e |
+{
|
|
|
4b1875e |
+ if (strchr(fmt, '%') == NULL)
|
|
|
4b1875e |
+ message(fmt, NULL);
|
|
|
4b1875e |
+ else
|
|
|
4b1875e |
+ message("%s", fmt);
|
|
|
4b1875e |
+}
|
|
|
4b1875e |
+
|
|
|
4b1875e |
+static inline void
|
|
|
4b1875e |
+usrerr1(fmt)
|
|
|
4b1875e |
+ char *fmt;
|
|
|
4b1875e |
+{
|
|
|
4b1875e |
+ if (strchr(fmt, '%') == NULL)
|
|
|
4b1875e |
+ usrerr(fmt, NULL);
|
|
|
4b1875e |
+ else
|
|
|
4b1875e |
+ usrerr("%s", fmt);
|
|
|
4b1875e |
+}
|
|
|
4b1875e |
+
|
|
|
4b1875e |
/*
|
|
|
4b1875e |
** PARSE_ESMTP_ARGS -- parse EMSTP arguments (for MAIL, RCPT)
|
|
|
4b1875e |
**
|
|
|
4b1875e |
@@ -578,13 +598,13 @@ static bool smtp_data __P((SMTP_T *, ENV
|
|
|
64c461c |
bool tsave = QuickAbort; \
|
|
|
64c461c |
\
|
|
|
64c461c |
QuickAbort = false; \
|
|
|
64c461c |
- usrerr(response); \
|
|
|
4b1875e |
+ usrerr1(response); \
|
|
|
64c461c |
QuickAbort = tsave; \
|
|
|
64c461c |
e->e_sendqueue = NULL; \
|
|
|
64c461c |
goto doquit; \
|
|
|
64c461c |
} \
|
|
|
64c461c |
else \
|
|
|
64c461c |
- usrerr(response); \
|
|
|
4b1875e |
+ usrerr1(response); \
|
|
|
64c461c |
break; \
|
|
|
64c461c |
\
|
|
|
64c461c |
case SMFIR_REJECT: \
|
|
|
4b1875e |
@@ -931,7 +951,7 @@ smtp(nullserver, d_flags, e)
|
|
|
64c461c |
}
|
|
|
64c461c |
else if (strncmp(nullserver, "421 ", 4) == 0)
|
|
|
64c461c |
{
|
|
|
64c461c |
- message(nullserver);
|
|
|
4b1875e |
+ message1(nullserver);
|
|
|
64c461c |
goto doquit;
|
|
|
64c461c |
}
|
|
|
64c461c |
|
|
|
4b1875e |
@@ -1849,7 +1869,7 @@ smtp(nullserver, d_flags, e)
|
|
|
64c461c |
if (nullserver != NULL)
|
|
|
64c461c |
{
|
|
|
64c461c |
if (ISSMTPREPLY(nullserver))
|
|
|
64c461c |
- usrerr(nullserver);
|
|
|
4b1875e |
+ usrerr1(nullserver);
|
|
|
64c461c |
else
|
|
|
64c461c |
usrerr("550 5.0.0 %s",
|
|
|
64c461c |
nullserver);
|
|
|
4b1875e |
@@ -2452,7 +2472,7 @@ smtp(nullserver, d_flags, e)
|
|
|
64c461c |
tempfail = true;
|
|
|
64c461c |
smtp.sm_milterize = false;
|
|
|
64c461c |
if (response != NULL)
|
|
|
64c461c |
- usrerr(response);
|
|
|
4b1875e |
+ usrerr1(response);
|
|
|
64c461c |
else
|
|
|
64c461c |
message("421 4.7.0 %s closing connection",
|
|
|
64c461c |
MyHostName);
|
|
|
4b1875e |
@@ -3659,7 +3679,7 @@ smtp_data(smtp, e)
|
|
|
64c461c |
(void) extenhsc(response + 4, ' ', e->e_enhsc);
|
|
|
64c461c |
#endif /* _FFR_MILTER_ENHSC */
|
|
|
64c461c |
|
|
|
64c461c |
- usrerr(response);
|
|
|
4b1875e |
+ usrerr1(response);
|
|
|
64c461c |
if (strncmp(response, "421 ", 4) == 0
|
|
|
64c461c |
|| strncmp(response, "421-", 4) == 0)
|
|
|
64c461c |
{
|
|
|
4b1875e |
@@ -3779,7 +3799,7 @@ smtp_data(smtp, e)
|
|
|
64c461c |
if (ISSMTPCODE(response))
|
|
|
64c461c |
(void) extenhsc(response + 4, ' ', e->e_enhsc);
|
|
|
64c461c |
#endif /* _FFR_MILTER_ENHSC */
|
|
|
64c461c |
- usrerr(response);
|
|
|
4b1875e |
+ usrerr1(response);
|
|
|
64c461c |
if (strncmp(response, "421 ", 4) == 0
|
|
|
64c461c |
|| strncmp(response, "421-", 4) == 0)
|
|
|
64c461c |
rv = false;
|