Hello,
> Am 03.01.2025 um 16:01 schrieb Wietse Venema via Postfix-devel
> <postfix-devel@postfix.org>:
>
> Christian R??ner via Postfix-devel:
>> Hello,
>>
>>> Am 20.12.2024 um 19:26 schrieb Wietse Venema via Postfix-devel
>>> <postfix-devel@postfix.org>:
>>>
>>> Christian Roessner via Postfix-devel:
>>>> Hi,
>>>>
>>>> why does exist a hard coded limit of 100000 characters in the
>>>> netstring payload for socket maps? I have a customer who uses a
>>>> socketmap for virtual aliases and he had to switch to the memcache
>>>> protocol (he wrote a service speaking memcache) to workaround this
>>>> issue, because memcache values seem not to have this limit.
>>>
>>> Even memcached has limits, he just hasn't run into them.
>>>
>>> Postfix virtual aliases have multiple limits. In fact, Postfix has
>>> limits for everything, to prevent one bad actior from locking up
>>> the entire server.
>>>
>>>> Would it be possible to either drop this limit,
>>>
>>> Sorry, that would make Postfix vulnerable by default, and that is
>>> undesirable.
>>>
>>>> set it higher it or have a configuration parameter for it?
>>>
>>> It could be made configurable. For an example of this, see how the
>>> "berkeley_db_read_buffer_size" configuration parameter controls a
>>> global variable in the dict_db.c module.
>>>
>>> Such a global variable already exists in dict_sockmap.c.
>>
>> It is about 25 years ago that I did C-programming, so please be nice to me,
>> if my first attempt is not perfect ;-)
>>
>> Could you please give me a hint, if the following approach goes into the
>> right direction?
>
> Very close; the dict_sockmap_max_reply variable can be owned by
> the dict_sockmap class, and exported by the header file for that
> class.
>
> dict_sockmap.c: replace: int dict_sockmap_max_reply;
> with: int dict_sockmap_max_reply = 100000;
> (to test the dict_db.c code without linking it with
> the rest of Postfix).
>
> dict_sockmap.h: add: extern int dict_sockmap_max_reply;
>
> mail_params.h: remove: extern int dict_sockmap_max_reply;
>
> mail_params.c: add: #include <dict_sockmap.h>
>
> mail_params.c: remove: int dict_sockmap_max_reply;
Now it looks like this:
------------------------------------------------------------------------------------------------------------------------
diff --color -Naur postfix-3.9.1/src/global/mail_params.c
postfix-3.9.1-with-sockmap_var/src/global/mail_params.c
--- postfix-3.9.1/src/global/mail_params.c 2023-06-10 23:15:48
+++ postfix-3.9.1-with-sockmap_var/src/global/mail_params.c 2025-01-06
10:28:59
@@ -223,6 +223,7 @@
#include <dict.h>
#include <dict_db.h>
#include <dict_lmdb.h>
+#include <dict_sockmap.h>
#include <inet_proto.h>
#include <vstring_vstream.h>
#include <iostuff.h>
@@ -352,6 +353,7 @@
int var_verify_neg_cache;
int var_oldlog_compat;
int var_delay_max_res;
+int var_sockmap_max_reply;
char *var_int_filt_classes;
int var_cyrus_sasl_authzid;
@@ -838,6 +840,7 @@
VAR_MIME_BOUND_LEN, DEF_MIME_BOUND_LEN, &var_mime_bound_len, 1, 0,
VAR_DELAY_MAX_RES, DEF_DELAY_MAX_RES, &var_delay_max_res,
MIN_DELAY_MAX_RES, MAX_DELAY_MAX_RES,
VAR_INET_WINDOW, DEF_INET_WINDOW, &var_inet_windowsize, 0, 0,
+ VAR_SOCKMAP_MAX_REPLY, DEF_SOCKMAP_MAX_REPLY, &var_sockmap_max_reply, 1, 0,
0,
};
static const CONFIG_LONG_TABLE long_defaults[] = {
@@ -986,6 +989,7 @@
check_overlap();
dict_db_cache_size = var_db_read_buf;
dict_lmdb_map_size = var_lmdb_map_size;
+ dict_sockmap_max_reply = var_sockmap_max_reply;
inet_windowsize = var_inet_windowsize;
if (set_logwriter_create_perms(var_maillog_file_perms) < 0)
msg_warn("ignoring bad permissions: %s = %s",
diff --color -Naur postfix-3.9.1/src/global/mail_params.h
postfix-3.9.1-with-sockmap_var/src/global/mail_params.h
--- postfix-3.9.1/src/global/mail_params.h 2024-02-20 16:37:05
+++ postfix-3.9.1-with-sockmap_var/src/global/mail_params.h 2025-01-06
10:28:24
@@ -4455,6 +4455,13 @@
#define DEF_ALLOW_SRV_FALLBACK 0
extern bool var_allow_srv_fallback;
+ /*
+ * Limit for the sockmap reply size
+ */
+#define VAR_SOCKMAP_MAX_REPLY "socketmap_max_reply_size"
+#define DEF_SOCKMAP_MAX_REPLY 100000 /* reply size limit */
+extern int var_sockmap_max_reply;
+
/* LICENSE
/* .ad
/* .fi
diff --color -Naur postfix-3.9.1/src/util/dict_sockmap.c
postfix-3.9.1-with-sockmap_var/src/util/dict_sockmap.c
--- postfix-3.9.1/src/util/dict_sockmap.c 2020-09-13 17:18:21
+++ postfix-3.9.1-with-sockmap_var/src/util/dict_sockmap.c 2025-01-06
10:27:32
@@ -111,7 +111,6 @@
* Default limits.
*/
#define DICT_SOCKMAP_DEF_TIMEOUT 100 /* connect/read/write timeout */
-#define DICT_SOCKMAP_DEF_MAX_REPLY 100000 /* reply size limit */
#define DICT_SOCKMAP_DEF_MAX_IDLE 10 /* close idle socket */
#define DICT_SOCKMAP_DEF_MAX_TTL 100 /* close old socket */
@@ -119,7 +118,7 @@
* Class variables.
*/
static int dict_sockmap_timeout = DICT_SOCKMAP_DEF_TIMEOUT;
-static int dict_sockmap_max_reply = DICT_SOCKMAP_DEF_MAX_REPLY;
+int dict_sockmap_max_reply = 100000;
static int dict_sockmap_max_idle = DICT_SOCKMAP_DEF_MAX_IDLE;
static int dict_sockmap_max_ttl = DICT_SOCKMAP_DEF_MAX_TTL;
diff --color -Naur postfix-3.9.1/src/util/dict_sockmap.h
postfix-3.9.1-with-sockmap_var/src/util/dict_sockmap.h
--- postfix-3.9.1/src/util/dict_sockmap.h 2012-03-18 16:38:48
+++ postfix-3.9.1-with-sockmap_var/src/util/dict_sockmap.h 2025-01-06
10:27:52
@@ -22,6 +22,7 @@
#define DICT_TYPE_SOCKMAP "socketmap"
extern DICT *dict_sockmap_open(const char *, int, int);
+extern int dict_sockmap_max_reply;
/* LICENSE
/* .ad
------------------------------------------------------------------------------------------------------------------------
Compiles without errors.
Christian Rößner
--
Rößner-Network-Solutions
Zertifizierter ITSiBe / CISO
Marburger Str. 70a, 36304 Alsfeld
Fax: +49 6631 78823409, Mobil: +49 171 9905345
USt-IdNr.: DE225643613, https://roessner.website
PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
_______________________________________________
Postfix-devel mailing list -- postfix-devel@postfix.org
To unsubscribe send an email to postfix-devel-le...@postfix.org
