Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!crdgw1!uunet!mcsun!hp4nl!nikhefh!e07 From: e07@nikhefh.nikhef.nl (Eric Wassenaar) Newsgroups: comp.mail.sendmail Subject: Unsafe test for invalid control chars Message-ID: <1233@nikhefh.nikhef.nl> Date: 16 May 91 20:38:39 GMT Sender: e07@nikhef.nl (Eric Wassenaar) Organization: Nikhef-H, Amsterdam (the Netherlands). Lines: 60 The IDA versions of sendmail call invalidaddr() in the beginning of parseaddr() just before the call to prescan(), in order to catch addresses containing invalid control characters by which prescan may get confused. However, if such event happens, parseaddr() immediately returns without setting the global variable DelimChar which is needed by sendtolist() in case a multi-recipient list is being processed. Normally, DelimChar is set by prescan(). DelimChar is now completely undefined (probably pointing to the end of an address for which prescan() has been called earlier, hopefully pointing to a '\0' byte. In that case, the whole list of addresses gets rejected, otherwise disaster may follow). Here are the relevant pieces of code from recipient.c and parseaddr.c sendtolist(list, ctladdr, sendq) { for (p = list; *p != '\0'; ) { a = parseaddr(p, (ADDRESS *) NULL, 1, delimiter); p = DelimChar; if (a == NULL) continue; parseaddr(addr, a, copyf, delim) { if (invalidaddr(addr)) return (NULL); pvp = prescan(addr, delim, pvpbuf); if (pvp == NULL) return (NULL); Suggested fix: Using my recently posted routine find_delim() and temporarily patching the address list to test only the one relevant recipient, change the call to invalidaddr() to: { extern char *find_delim(); extern char *DelimChar; char savec; bool invalid; DelimChar = find_delim(addr, delim); savec = *DelimChar; *DelimChar = '\0'; invalid = invalidaddr(addr); *DelimChar = savec; if (invalid) return (NULL); } Eric Wassenaar -- Organization: NIKHEF-H, National Institute for Nuclear and High-Energy Physics Address: Kruislaan 409, P.O. Box 41882, 1009 DB Amsterdam, the Netherlands Phone: +31 20 592 0412, Home: +31 20 6909449, Telefax: +31 20 592 5155 Internet: e07@nikhef.nl