Author: Andreas Beckmann Description: fix FTBFS with -Werror=format-security If a message string from an (untrusted) external source may start with a smtp status code ("123 4.5.6 Foobar"), we cannot sanitize this via ("%s", string) since the status code is expected as part of the format string. Therefore verify that the message string contains no formatting codes before passing it as the format string. Add a dummy argument to suppress the "format not a string literal and no format arguments" error in this case. --- a/sendmail/envelope.c +++ b/sendmail/envelope.c @@ -323,7 +323,7 @@ dropenvelope(e, fulldrop, split) /* don't free, allocated from e_rpool */ e->e_message = sm_rpool_strdup_x(e->e_rpool, buf); - message(buf); + message("%s", buf); e->e_flags |= EF_CLRQUEUE; } if (msg_timeout == MSG_NOT_BY) @@ -420,7 +420,7 @@ dropenvelope(e, fulldrop, split) /* don't free, allocated from e_rpool */ e->e_message = sm_rpool_strdup_x(e->e_rpool, buf); - message(buf); + message("%s", buf); e->e_flags |= EF_WARNING; } if (msg_timeout == MSG_WARN_BY) --- a/sendmail/parseaddr.c +++ b/sendmail/parseaddr.c @@ -218,7 +218,7 @@ parseaddr(addr, a, flags, delim, delimpt msg = "Deferring message until queue run"; if (tTd(20, 1)) sm_dprintf("parseaddr: queueing message\n"); - message(msg); + message("%s", msg); if (e->e_message == NULL && e->e_sendmode != SM_DEFER) e->e_message = sm_rpool_strdup_x(e->e_rpool, msg); a->q_state = QS_QUEUEUP; --- a/sendmail/srvrsmtp.c +++ b/sendmail/srvrsmtp.c @@ -122,6 +122,26 @@ extern ENVELOPE BlankEnvelope; #define SKIP_SPACE(s) while (isascii(*s) && isspace(*s)) \ (s)++ +static inline void +message1(fmt) + char *fmt; +{ + if (strchr(fmt, '%') == NULL) + message(fmt, NULL); + else + message("%s", fmt); +} + +static inline void +usrerr1(fmt) + char *fmt; +{ + if (strchr(fmt, '%') == NULL) + usrerr(fmt, NULL); + else + usrerr("%s", fmt); +} + /* ** PARSE_ESMTP_ARGS -- parse EMSTP arguments (for MAIL, RCPT) ** @@ -578,13 +598,13 @@ static bool smtp_data __P((SMTP_T *, ENV bool tsave = QuickAbort; \ \ QuickAbort = false; \ - usrerr(response); \ + usrerr1(response); \ QuickAbort = tsave; \ e->e_sendqueue = NULL; \ goto doquit; \ } \ else \ - usrerr(response); \ + usrerr1(response); \ break; \ \ case SMFIR_REJECT: \ @@ -931,7 +951,7 @@ smtp(nullserver, d_flags, e) } else if (strncmp(nullserver, "421 ", 4) == 0) { - message(nullserver); + message1(nullserver); goto doquit; } @@ -1849,7 +1869,7 @@ smtp(nullserver, d_flags, e) if (nullserver != NULL) { if (ISSMTPREPLY(nullserver)) - usrerr(nullserver); + usrerr1(nullserver); else usrerr("550 5.0.0 %s", nullserver); @@ -2452,7 +2472,7 @@ smtp(nullserver, d_flags, e) tempfail = true; smtp.sm_milterize = false; if (response != NULL) - usrerr(response); + usrerr1(response); else message("421 4.7.0 %s closing connection", MyHostName); @@ -3659,7 +3679,7 @@ smtp_data(smtp, e) (void) extenhsc(response + 4, ' ', e->e_enhsc); #endif /* _FFR_MILTER_ENHSC */ - usrerr(response); + usrerr1(response); if (strncmp(response, "421 ", 4) == 0 || strncmp(response, "421-", 4) == 0) { @@ -3779,7 +3799,7 @@ smtp_data(smtp, e) if (ISSMTPCODE(response)) (void) extenhsc(response + 4, ' ', e->e_enhsc); #endif /* _FFR_MILTER_ENHSC */ - usrerr(response); + usrerr1(response); if (strncmp(response, "421 ", 4) == 0 || strncmp(response, "421-", 4) == 0) rv = false;