head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.26
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.24
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2011Q4:1.2.0.22
	pkgsrc-2011Q4-base:1.2
	pkgsrc-2011Q2:1.2.0.20
	pkgsrc-2011Q2-base:1.2
	pkgsrc-2009Q4:1.2.0.18
	pkgsrc-2009Q4-base:1.2
	pkgsrc-2008Q4:1.2.0.16
	pkgsrc-2008Q4-base:1.2
	pkgsrc-2008Q3:1.2.0.14
	pkgsrc-2008Q3-base:1.2
	cube-native-xorg:1.2.0.12
	cube-native-xorg-base:1.2
	pkgsrc-2008Q2:1.2.0.10
	pkgsrc-2008Q2-base:1.2
	pkgsrc-2008Q1:1.2.0.8
	pkgsrc-2008Q1-base:1.2
	pkgsrc-2007Q4:1.2.0.6
	pkgsrc-2007Q4-base:1.2
	pkgsrc-2007Q3:1.2.0.4
	pkgsrc-2007Q3-base:1.2
	pkgsrc-2007Q2:1.2.0.2
	pkgsrc-2007Q2-base:1.2
	pkgsrc-2007Q1:1.1.0.10
	pkgsrc-2007Q1-base:1.1
	pkgsrc-2006Q4:1.1.0.8
	pkgsrc-2006Q4-base:1.1
	pkgsrc-2006Q3:1.1.0.6
	pkgsrc-2006Q3-base:1.1
	pkgsrc-2006Q2:1.1.0.4
	pkgsrc-2006Q2-base:1.1
	pkgsrc-2006Q1:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2007.04.17.10.25.38;	author jnemeth;	state dead;
branches;
next	1.1;

1.1
date	2006.06.14.18.57.34;	author adrianp;	state Exp;
branches
	1.1.2.1;
next	;

1.1.2.1
date	2006.06.14.18.57.34;	author salo;	state dead;
branches;
next	1.1.2.2;

1.1.2.2
date	2006.06.14.21.07.23;	author salo;	state Exp;
branches;
next	;


desc
@@


1.2
log
@Removal of sendmail 8.12.x branch from pkgsrc.  We already have the
8.13.x and will soon have the 8.14.x branches in pkgsrc.
@
text
@$NetBSD: patch-ai,v 1.1 2006/06/14 18:57:34 adrianp Exp $

--- sendmail/mime.c.orig	2006-06-13 21:35:58.000000000 +0100
+++ sendmail/mime.c
@@@@ -80,6 +80,7 @@@@ static bool	MapNLtoCRLF;
 **		boundaries -- the currently pending message boundaries.
 **			NULL if we are processing the outer portion.
 **		flags -- to tweak processing.
+**		level -- recursion level.
 **
 **	Returns:
 **		An indicator of what terminated the message part:
@@@@ -96,12 +97,13 @@@@ struct args
 };
 
 int
-mime8to7(mci, header, e, boundaries, flags)
+mime8to7(mci, header, e, boundaries, flags, level)
 	register MCI *mci;
 	HDR *header;
 	register ENVELOPE *e;
 	char **boundaries;
 	int flags;
+	int level;
 {
 	register char *p;
 	int linelen;
@@@@ -122,6 +124,18 @@@@ mime8to7(mci, header, e, boundaries, fla
 	char pvpbuf[MAXLINE];
 	extern unsigned char MimeTokenTab[256];
 
+	if (level > MAXMIMENESTING)
+	{
+		if (!bitset(EF_TOODEEP, e->e_flags))
+		{
+			if (tTd(43, 4))
+				sm_dprintf("mime8to7: too deep, level=%d\n",
+					   level);
+			usrerr("mime8to7: recursion level %d exceeded",
+				level);
+			e->e_flags |= EF_DONT_MIME|EF_TOODEEP;
+		}
+	}
 	if (tTd(43, 1))
 	{
 		sm_dprintf("mime8to7: flags = %x, boundaries =", flags);
@@@@ -242,7 +256,9 @@@@ mime8to7(mci, header, e, boundaries, fla
 	*/
 
 	if (sm_strcasecmp(type, "multipart") == 0 &&
-	    (!bitset(M87F_NO8BIT, flags) || bitset(M87F_NO8TO7, flags)))
+	    (!bitset(M87F_NO8BIT, flags) || bitset(M87F_NO8TO7, flags)) &&
+	    !bitset(EF_TOODEEP, e->e_flags)
+	   )
 	{
 
 		if (sm_strcasecmp(subtype, "digest") == 0)
@@@@ -286,10 +302,13 @@@@ mime8to7(mci, header, e, boundaries, fla
 		}
 		if (i >= MAXMIMENESTING)
 		{
-			usrerr("mime8to7: multipart nesting boundary too deep");
+			if (tTd(43, 4))
+				sm_dprintf("mime8to7: too deep, i=%d\n", i);
+			if (!bitset(EF_TOODEEP, e->e_flags))
+				usrerr("mime8to7: multipart nesting boundary too deep");
 
 			/* avoid bounce loops */
-			e->e_flags |= EF_DONT_MIME;
+			e->e_flags |= EF_DONT_MIME|EF_TOODEEP;
 		}
 		else
 		{
@@@@ -333,7 +352,8 @@@@ mime8to7(mci, header, e, boundaries, fla
 				goto writeerr;
 			if (tTd(43, 101))
 				putline("+++after putheader", mci);
-			bt = mime8to7(mci, hdr, e, boundaries, flags);
+			bt = mime8to7(mci, hdr, e, boundaries, flags,
+				      level + 1);
 			if (bt == SM_IO_EOF)
 				goto writeerr;
 		}
@@@@ -374,7 +394,8 @@@@ mime8to7(mci, header, e, boundaries, fla
 
 	if (sm_strcasecmp(type, "message") == 0)
 	{
-		if (!wordinclass(subtype, 's'))
+		if (!wordinclass(subtype, 's') ||
+		    bitset(EF_TOODEEP, e->e_flags))
 		{
 			flags |= M87F_NO8BIT;
 		}
@@@@ -397,7 +418,8 @@@@ mime8to7(mci, header, e, boundaries, fla
 			    !bitset(M87F_NO8TO7, flags) &&
 			    !putline("MIME-Version: 1.0", mci))
 				goto writeerr;
-			bt = mime8to7(mci, hdr, e, boundaries, flags);
+			bt = mime8to7(mci, hdr, e, boundaries, flags,
+				      level + 1);
 			mci->mci_flags &= ~MCIF_INMIME;
 			return bt;
 		}
@


1.1
log
@Bump PKGREVISION.
A malformed MIME structure with many parts can cause sendmail to
crash while trying to send a mail due to a stack overflow,
e.g., if the stack size is limited (ulimit -s).  This
happens because the recursion of the function mime8to7()
was not restricted.  The function is called for MIME 8 to
7 bit conversion and also to enforce MaxMimeHeaderLength.
To work around this problem, recursive calls are limited to
a depth of MAXMIMENESTING (20); message content after this
limit is treated as opaque and is not checked further.
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-ai was added on branch pkgsrc-2006Q1 on 2006-06-14 18:57:34 +0000
@
text
@d1 103
@


1.1.2.2
log
@Pullup ticket 1701 - requested by adrianp
security fix for sendmail812

Patch provided by the submitter.

   Module Name:		pkgsrc
   Committed By:	adrianp
   Date:		Wed Jun 14 18:57:34 UTC 2006

   Modified Files:
   	pkgsrc/mail/sendmail812: Makefile distinfo
   Added Files:
   	pkgsrc/mail/sendmail812/patches: patch-ah patch-ai patch-aj patch-ak

   Log Message:
   Bump PKGREVISION.
   A malformed MIME structure with many parts can cause sendmail to
   crash while trying to send a mail due to a stack overflow,
   e.g., if the stack size is limited (ulimit -s).  This
   happens because the recursion of the function mime8to7()
   was not restricted.  The function is called for MIME 8 to
   7 bit conversion and also to enforce MaxMimeHeaderLength.
   To work around this problem, recursive calls are limited to
   a depth of MAXMIMENESTING (20); message content after this
   limit is treated as opaque and is not checked further.
@
text
@a0 103
$NetBSD: patch-ai,v 1.1.2.1 2006/06/14 21:07:23 salo Exp $

--- sendmail/mime.c.orig	2006-06-13 21:35:58.000000000 +0100
+++ sendmail/mime.c
@@@@ -80,6 +80,7 @@@@ static bool	MapNLtoCRLF;
 **		boundaries -- the currently pending message boundaries.
 **			NULL if we are processing the outer portion.
 **		flags -- to tweak processing.
+**		level -- recursion level.
 **
 **	Returns:
 **		An indicator of what terminated the message part:
@@@@ -96,12 +97,13 @@@@ struct args
 };
 
 int
-mime8to7(mci, header, e, boundaries, flags)
+mime8to7(mci, header, e, boundaries, flags, level)
 	register MCI *mci;
 	HDR *header;
 	register ENVELOPE *e;
 	char **boundaries;
 	int flags;
+	int level;
 {
 	register char *p;
 	int linelen;
@@@@ -122,6 +124,18 @@@@ mime8to7(mci, header, e, boundaries, fla
 	char pvpbuf[MAXLINE];
 	extern unsigned char MimeTokenTab[256];
 
+	if (level > MAXMIMENESTING)
+	{
+		if (!bitset(EF_TOODEEP, e->e_flags))
+		{
+			if (tTd(43, 4))
+				sm_dprintf("mime8to7: too deep, level=%d\n",
+					   level);
+			usrerr("mime8to7: recursion level %d exceeded",
+				level);
+			e->e_flags |= EF_DONT_MIME|EF_TOODEEP;
+		}
+	}
 	if (tTd(43, 1))
 	{
 		sm_dprintf("mime8to7: flags = %x, boundaries =", flags);
@@@@ -242,7 +256,9 @@@@ mime8to7(mci, header, e, boundaries, fla
 	*/
 
 	if (sm_strcasecmp(type, "multipart") == 0 &&
-	    (!bitset(M87F_NO8BIT, flags) || bitset(M87F_NO8TO7, flags)))
+	    (!bitset(M87F_NO8BIT, flags) || bitset(M87F_NO8TO7, flags)) &&
+	    !bitset(EF_TOODEEP, e->e_flags)
+	   )
 	{
 
 		if (sm_strcasecmp(subtype, "digest") == 0)
@@@@ -286,10 +302,13 @@@@ mime8to7(mci, header, e, boundaries, fla
 		}
 		if (i >= MAXMIMENESTING)
 		{
-			usrerr("mime8to7: multipart nesting boundary too deep");
+			if (tTd(43, 4))
+				sm_dprintf("mime8to7: too deep, i=%d\n", i);
+			if (!bitset(EF_TOODEEP, e->e_flags))
+				usrerr("mime8to7: multipart nesting boundary too deep");
 
 			/* avoid bounce loops */
-			e->e_flags |= EF_DONT_MIME;
+			e->e_flags |= EF_DONT_MIME|EF_TOODEEP;
 		}
 		else
 		{
@@@@ -333,7 +352,8 @@@@ mime8to7(mci, header, e, boundaries, fla
 				goto writeerr;
 			if (tTd(43, 101))
 				putline("+++after putheader", mci);
-			bt = mime8to7(mci, hdr, e, boundaries, flags);
+			bt = mime8to7(mci, hdr, e, boundaries, flags,
+				      level + 1);
 			if (bt == SM_IO_EOF)
 				goto writeerr;
 		}
@@@@ -374,7 +394,8 @@@@ mime8to7(mci, header, e, boundaries, fla
 
 	if (sm_strcasecmp(type, "message") == 0)
 	{
-		if (!wordinclass(subtype, 's'))
+		if (!wordinclass(subtype, 's') ||
+		    bitset(EF_TOODEEP, e->e_flags))
 		{
 			flags |= M87F_NO8BIT;
 		}
@@@@ -397,7 +418,8 @@@@ mime8to7(mci, header, e, boundaries, fla
 			    !bitset(M87F_NO8TO7, flags) &&
 			    !putline("MIME-Version: 1.0", mci))
 				goto writeerr;
-			bt = mime8to7(mci, hdr, e, boundaries, flags);
+			bt = mime8to7(mci, hdr, e, boundaries, flags,
+				      level + 1);
 			mci->mci_flags &= ~MCIF_INMIME;
 			return bt;
 		}
@