Check the patch obtained from sendmail.org for the header denial-of-service

attack into the vendor branch.  It is a little unusual doing it this way
but it will eliminate (or minimize anyway) conflicts when 8.9.3 comes out.

Obtained from: sendmail.org (as posted on bugtraq, but without broken tabs)

1 files changed, 23 insertions, 0 deletions

diff --git a/contrib/sendmail/src/readcf.c b/contrib/sendmail/src/readcf.c
index 56aa825..ab81027 100644
--- a/contrib/sendmail/src/readcf.c
+++ b/contrib/sendmail/src/readcf.c
@@ -1527,6 +1527,10 @@ struct optioninfo
 #define O_CONTROLSOCKET	0xa9
 	{ "ControlSocketName",		O_CONTROLSOCKET,	FALSE	},
 #endif
+#if _FFR_MAX_HEADER_LINES
+#define O_MAXHDRLINES	0xaa
+	{ "MaxHeaderLines",		O_MAXHDRLINES,	FALSE	},
+#endif
 	{ NULL,				'\0',		FALSE	}
 };
 
@@ -2466,6 +2470,25 @@ setoption(opt, val, safe, sticky, e)
 		break;
 #endif
 
+#if _FFR_MAX_HEADER_LINES
+	  case O_MAXHDRLINES:
+		p = strchr(val, '/');
+		if (p != NULL)
+			*p++ = '\0';
+		MaxHeaderLines = atoi(val);
+		if (p != NULL && *p != '\0')
+			MaxHeaderLineLength = atoi(p);
+
+		if (MaxHeaderLines > 0 &&
+		    MaxHeaderLines < 50)
+			printf("Warning: MaxHeaderLines: header line limit set lower than 50\n");
+
+		if (MaxHeaderLineLength > 0 &&
+		    MaxHeaderLineLength < MAXHDRLINELEN)
+			printf("Warning: MaxHeaderLines: header line length limit set lower than %d\n", MAXHDRLINELEN);
+		break;
+#endif
+
 	  default:
 		if (tTd(37, 1))
 		{