[Bug 2152830] [NEW] Taint mismatch, Ustrncpy: string_is_ip_addressX 110

Sun, 17 May 2026 04:50:46 -0700 

Public bug reported:

In exim4-daemon-heavy 4.95-4ubuntu2.8 running on Ubuntu 22.04 on amd64,
I saw the following message in /var/log/exim/paniclog:

Taint mismatch, Ustrncpy: string_is_ip_addressX 110

After reading the source code, I came to the conclusion that this
message is only emitted when one of the Exim processes is (deliberately)
killed because a potentially dangerous situation has been detected.

The call that causes this message is in string.c, line 110:

    Ustrncpy((uschar *)addr, ip_addr, l);

I compared the whole code section with the same section in the newest
version of the upstream sources, and there are a few differences. Here
is the relevant code from the Ubuntu package:

  /* inet_pton() can't parse netmasks and interface IDs, so work on a shortened 
copy
  allocated on the current stack */
  if (endp)
    {
    ptrdiff_t l = endp - ip_addr;
    if (l > 255)
      {
      if (errp) *errp = "rudiculous long ip address string";
      return 0;
      }
    addr = alloca(l+1); /* *BSD does not have strndupa() */
    Ustrncpy((uschar *)addr, ip_addr, l);
    ((uschar*)addr)[l] = '\0';
    } else addr = ip_addr;

And here is the same section from upstream:

/* inet_pton() can't parse netmasks and interface IDs, so work on a shortened 
copy
allocated on the current stack */

if (endp)
  {
  ptrdiff_t l = endp - ip_addr;
  if (l > 255)
    {
    if (errp) *errp = US"rediculous long ip address string";
    return 0;
    }
  addr = string_copyn(ip_addr, l);
  }
else
  addr = ip_addr;

So, the difference seems to be is that the code in the Ubuntu package
uses alloca follwed by Ustrncpy, while the upstream code combines this
into a single call to string_copyn. The difference seems to be that
string_copyn correctly handles the case where the source (ip_addr in
this case) is tainted, while Ustrncpy expects it to not be tainted.

** Affects: exim4 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2152830

Title:
  Taint mismatch, Ustrncpy: string_is_ip_addressX 110

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/exim4/+bug/2152830/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to