https://bugs.exim.org/show_bug.cgi?id=3188
Bug ID: 3188
Summary: Heap buffer overflow in ratelimit Bloom filter due to
unvalidated bloom_size
Product: Exim
Version: 4.99
Hardware: x86
OS: All
Status: NEW
Severity: bug
Priority: medium
Component: ACLs
Assignee: [email protected]
Reporter: [email protected]
CC: [email protected]
Created attachment 1528
--> https://bugs.exim.org/attachment.cgi?id=1528&action=edit
Patch validating bloom_size in ratelimit Bloom filter records to prevent heap
buffer overflow
A heap buffer overflow exists in the ratelimit ACL unique tracking logic
when processing Bloom filter data loaded from the hints database.
The dbdata_ratelimit_unique structure contains a variable-sized Bloom
filter, with bloom_size indicating the number of valid bytes. However,
bloom_size is not validated against the actual size of the database
record before being used as a modulo bound when updating the filter.
A malformed or malicious database record can therefore specify an
oversized bloom_size value, causing out-of-bounds heap writes during
Bloom filter updates in acl_ratelimit().
This can occur when using ratelimit with unique or per_addr keys that
include attacker-controlled input, and may be triggered remotely during
SMTP transactions.
The attached patch validates bloom_size against the actual record size
(using offsetof()), rejects zero or oversized values, logs invalid
records, and safely discards them. Normal ratelimit behavior for valid
records is unchanged.
This fixes CVE-2025-67896.
--
You are receiving this mail because:
You are on the CC list for the bug.
--
## subscription configuration (requires account):
## https://lists.exim.org/mailman3/postorius/lists/exim-dev.lists.exim.org/
## unsubscribe (doesn't require an account):
## [email protected]
## Exim details at https://www.exim.org/
## Please use the Wiki with this list - https://code.exim.org/exim/wiki/wiki
