Sendmail 8.6.10 update for security problems.

Imported on CSRG/V_8_6_10 branch.

Obtained from: CSRG/Allman

14 files changed, 361 insertions, 68 deletions

diff --git a/usr.sbin/sendmail/src/aliases b/usr.sbin/sendmail/src/aliases
new file mode 100644
index 0000000..7540eea
--- /dev/null
+++ b/usr.sbin/sendmail/src/aliases
@@ -0,0 +1,53 @@
+#
+#	@(#)aliases	8.2 (Berkeley) 3/5/94
+#
+#  Aliases in this file will NOT be expanded in the header from
+#  Mail, but WILL be visible over networks or from /bin/mail.
+#
+#	>>>>>>>>>>	The program "newaliases" must be run after
+#	>> NOTE >>	this file is updated for any changes to
+#	>>>>>>>>>>	show through to sendmail.
+#
+
+# Basic system aliases -- these MUST be present.
+MAILER-DAEMON:	postmaster
+postmaster:	root
+
+# General redirections for pseudo accounts.
+bin:		root
+daemon:		root
+games:		root
+ingres:		root
+nobody:		root
+system:		root
+toor:		root
+uucp:		root
+
+# Well-known aliases.
+manager:	root
+dumper:		root
+operator:	root
+
+# trap decode to catch security attacks
+decode:		root
+
+# OFFICIAL CSRG/BUG ADDRESSES
+
+# Ftp maintainer.
+ftp: ftp-bugs
+ftp-bugs: bigbug@cs.berkeley.edu
+
+# Distribution office.
+bsd-dist: bsd-dist@cs.berkeley.edu
+
+# Fortune maintainer.
+fortune: fortune@cs.berkeley.edu
+
+# Termcap maintainer.
+termcap: termcap@cs.berkeley.edu
+
+# General bug address.
+ucb-fixes: bigbug@cs.berkeley.edu
+ucb-fixes-request: bigbug@cs.berkeley.edu
+bugs: bugs@cs.berkeley.edu
+# END OFFICIAL BUG ADDRESSES
diff --git a/usr.sbin/sendmail/src/cdefs.h b/usr.sbin/sendmail/src/cdefs.h
new file mode 100644
index 0000000..e586cbf
--- /dev/null
+++ b/usr.sbin/sendmail/src/cdefs.h
@@ -0,0 +1,123 @@
+/*
+ * Copyright (c) 1991, 1993
+ *	The Regents of the University of California.  All rights reserved.
+ *
+ * This code is derived from software contributed to Berkeley by
+ * Berkeley Software Design, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *	@(#)cdefs.h	8.8 (Berkeley) 1/9/95
+ */
+
+#ifndef	_CDEFS_H_
+#define	_CDEFS_H_
+
+#if defined(__cplusplus)
+#define	__BEGIN_DECLS	extern "C" {
+#define	__END_DECLS	};
+#else
+#define	__BEGIN_DECLS
+#define	__END_DECLS
+#endif
+
+/*
+ * The __CONCAT macro is used to concatenate parts of symbol names, e.g.
+ * with "#define OLD(foo) __CONCAT(old,foo)", OLD(foo) produces oldfoo.
+ * The __CONCAT macro is a bit tricky -- make sure you don't put spaces
+ * in between its arguments.  __CONCAT can also concatenate double-quoted
+ * strings produced by the __STRING macro, but this only works with ANSI C.
+ */
+#if defined(__STDC__) || defined(__cplusplus)
+#define	__P(protos)	protos		/* full-blown ANSI C */
+#define	__CONCAT(x,y)	x ## y
+#define	__STRING(x)	#x
+
+#define	__const		const		/* define reserved names to standard */
+#define	__signed	signed
+#define	__volatile	volatile
+#if defined(__cplusplus)
+#define	__inline	inline		/* convert to C++ keyword */
+#else
+#ifndef __GNUC__
+#define	__inline			/* delete GCC keyword */
+#endif /* !__GNUC__ */
+#endif /* !__cplusplus */
+
+#else	/* !(__STDC__ || __cplusplus) */
+#define	__P(protos)	()		/* traditional C preprocessor */
+#define	__CONCAT(x,y)	x/**/y
+#define	__STRING(x)	"x"
+
+#ifndef __GNUC__
+#define	__const				/* delete pseudo-ANSI C keywords */
+#define	__inline
+#define	__signed
+#define	__volatile
+/*
+ * In non-ANSI C environments, new programs will want ANSI-only C keywords
+ * deleted from the program and old programs will want them left alone.
+ * When using a compiler other than gcc, programs using the ANSI C keywords
+ * const, inline etc. as normal identifiers should define -DNO_ANSI_KEYWORDS.
+ * When using "gcc -traditional", we assume that this is the intent; if
+ * __GNUC__ is defined but __STDC__ is not, we leave the new keywords alone.
+ */
+#ifndef	NO_ANSI_KEYWORDS
+#define	const				/* delete ANSI C keywords */
+#define	inline
+#define	signed
+#define	volatile
+#endif
+#endif	/* !__GNUC__ */
+#endif	/* !(__STDC__ || __cplusplus) */
+
+/*
+ * GCC1 and some versions of GCC2 declare dead (non-returning) and
+ * pure (no side effects) functions using "volatile" and "const";
+ * unfortunately, these then cause warnings under "-ansi -pedantic".
+ * GCC2 uses a new, peculiar __attribute__((attrs)) style.  All of
+ * these work for GNU C++ (modulo a slight glitch in the C++ grammar
+ * in the distribution version of 2.5.5).
+ */
+#if !defined(__GNUC__) || __GNUC__ < 2 || \
+	(__GNUC__ == 2 && __GNUC_MINOR__ < 5)
+#define	__attribute__(x)	/* delete __attribute__ if non-gcc or gcc1 */
+#if defined(__GNUC__) && !defined(__STRICT_ANSI__)
+#define	__dead		__volatile
+#define	__pure		__const
+#endif
+#endif
+
+/* Delete pseudo-keywords wherever they are not available or needed. */
+#ifndef __dead
+#define	__dead
+#define	__pure
+#endif
+
+#endif /* !_CDEFS_H_ */
diff --git a/usr.sbin/sendmail/src/daemon.c b/usr.sbin/sendmail/src/daemon.c
index 293438b..fe1070b 100644
--- a/usr.sbin/sendmail/src/daemon.c
+++ b/usr.sbin/sendmail/src/daemon.c
@@ -37,9 +37,9 @@
 
 #ifndef lint
 #ifdef DAEMON
-static char sccsid[] = "@(#)daemon.c	8.48 (Berkeley) 4/18/94 (with daemon mode)";
+static char sccsid[] = "@(#)daemon.c	8.48.1.2 (Berkeley) 2/9/95 (with daemon mode)";
 #else
-static char sccsid[] = "@(#)daemon.c	8.48 (Berkeley) 4/18/94 (without daemon mode)";
+static char sccsid[] = "@(#)daemon.c	8.48.1.2 (Berkeley) 2/9/95 (without daemon mode)";
 #endif
 #endif /* not lint */
 
@@ -1122,9 +1122,11 @@ getauthinfo(fd)
 	while (isascii(*++p) && isspace(*p))
 		continue;
 
-	/* p now points to the authenticated name */
-	(void) sprintf(hbuf, "%s@%s",
-		p, RealHostName == NULL ? "localhost" : RealHostName);
+	/* p now points to the authenticated name -- copy carefully */
+	cleanstrcpy(hbuf, p, MAXNAME);
+	i = strlen(hbuf);
+	hbuf[i++] = '@';
+	strcpy(&hbuf[i], RealHostName == NULL ? "localhost" : RealHostName);
 	goto finish;
 
 closeident:
diff --git a/usr.sbin/sendmail/src/deliver.c b/usr.sbin/sendmail/src/deliver.c
index 4266122..06dd9b2 100644
--- a/usr.sbin/sendmail/src/deliver.c
+++ b/usr.sbin/sendmail/src/deliver.c
@@ -33,7 +33,7 @@
  */
 
 #ifndef lint
-static char sccsid[] = "@(#)deliver.c	8.82 (Berkeley) 4/18/94";
+static char sccsid[] = "@(#)deliver.c	8.84.1.1 (Berkeley) 2/10/95";
 #endif /* not lint */
 
 #include "sendmail.h"
@@ -124,6 +124,7 @@ sendall(e, mode)
 	if (e->e_hopcount > MaxHopCount)
 	{
 		errno = 0;
+		queueup(e, TRUE, announcequeueup);
 		e->e_flags |= EF_FATALERRS|EF_PM_NOTIFY|EF_CLRQUEUE;
 		syserr("554 too many hops %d (%d max): from %s via %s, to %s",
 			e->e_hopcount, MaxHopCount, e->e_from.q_paddr,
@@ -1005,7 +1006,7 @@ deliver(e, firstto)
 		if (curhost == NULL || curhost[0] == '\0')
 		{
 			syserr("null host signature for %s", pv[1]);
-			rcode = EX_OSERR;
+			rcode = EX_CONFIG;
 			goto give_up;
 		}
 
@@ -1726,7 +1727,7 @@ giveresponse(stat, m, mci, ctladdr, e)
 	else if (stat == EX_NOHOST && h_errno != 0)
 	{
 		statmsg = errstring(h_errno + E_DNSBASE);
-		(void) sprintf(buf, "%s (%s)", SysExMsg[i], statmsg);
+		(void) sprintf(buf, "%s (%s)", SysExMsg[i] + 1, statmsg);
 		statmsg = buf;
 	}
 #endif
@@ -1754,8 +1755,11 @@ giveresponse(stat, m, mci, ctladdr, e)
 	}
 	else
 	{
+		char mbuf[8];
+
 		Errors++;
-		usrerr(statmsg, errstring(errno));
+		sprintf(mbuf, "%.3s %%s", statmsg);
+		usrerr(mbuf, &statmsg[4]);
 	}
 
 	/*
@@ -1770,7 +1774,7 @@ giveresponse(stat, m, mci, ctladdr, e)
 
 	if (tTd(11, 2))
 		printf("giveresponse: stat=%d, e->e_message=%s\n",
-			stat, e->e_message);
+			stat, e->e_message == NULL ? "<NULL>" : e->e_message);
 
 	if (stat != EX_TEMPFAIL)
 		setstat(stat);
diff --git a/usr.sbin/sendmail/src/main.c b/usr.sbin/sendmail/src/main.c
index e2af9df..d7923ea 100644
--- a/usr.sbin/sendmail/src/main.c
+++ b/usr.sbin/sendmail/src/main.c
@@ -39,7 +39,7 @@ static char copyright[] =
 #endif /* not lint */
 
 #ifndef lint
-static char sccsid[] = "@(#)main.c	8.55 (Berkeley) 4/15/94";
+static char sccsid[] = "@(#)main.c	8.55.1.3 (Berkeley) 2/10/95";
 #endif /* not lint */
 
 #define	_DEFINE
@@ -463,7 +463,11 @@ main(argc, argv, envp)
 			break;
 
 		  case 'B':	/* body type */
-			CurEnv->e_bodytype = newstr(optarg);
+			if (strcasecmp(optarg, "7bit") == 0 ||
+			    strcasecmp(optarg, "8bitmime") == 0)
+				CurEnv->e_bodytype = newstr(optarg);
+			else
+				usrerr("Illegal body type %s", optarg);
 			break;
 
 		  case 'C':	/* select configuration file (already done) */
@@ -486,7 +490,7 @@ main(argc, argv, envp)
 				ExitStat = EX_USAGE;
 				break;
 			}
-			from = newstr(optarg);
+			from = newstr(denlstring(optarg));
 			if (strcmp(RealUserName, from) != 0)
 				warn_f_flag = j;
 			break;
@@ -516,11 +520,21 @@ main(argc, argv, envp)
 		  case 'p':	/* set protocol */
 			p = strchr(optarg, ':');
 			if (p != NULL)
+			{
 				*p++ = '\0';
+				if (*p != '\0')
+				{
+					ep = xalloc(strlen(p) + 1);
+					cleanstrcpy(ep, p, MAXNAME);
+					define('s', ep, CurEnv);
+				}
+			}
 			if (*optarg != '\0')
-				define('r', newstr(optarg), CurEnv);
-			if (p != NULL && *p != '\0')
-				define('s', newstr(p), CurEnv);
+			{
+				ep = xalloc(strlen(optarg) + 1);
+				cleanstrcpy(ep, optarg, MAXNAME);
+				define('r', ep, CurEnv);
+			}
 			break;
 
 		  case 'q':	/* run queue files at intervals */
@@ -714,6 +728,10 @@ main(argc, argv, envp)
 		break;
 	}
 
+	/* full names can't have newlines */
+	if (FullName != NULL && strchr(FullName, '\n') != NULL)
+		FullName = newstr(denlstring(FullName));
+
 	/* do heuristic mode adjustment */
 	if (Verbose)
 	{
diff --git a/usr.sbin/sendmail/src/map.c b/usr.sbin/sendmail/src/map.c
index 01ba411..a2b3337 100644
--- a/usr.sbin/sendmail/src/map.c
+++ b/usr.sbin/sendmail/src/map.c
@@ -33,7 +33,7 @@
  */
 
 #ifndef lint
-static char sccsid[] = "@(#)map.c	8.25 (Berkeley) 4/17/94";
+static char sccsid[] = "@(#)map.c	8.25.1.1 (Berkeley) 2/10/95";
 #endif /* not lint */
 
 #include "sendmail.h"
@@ -189,20 +189,13 @@ map_parseargs(map, ap)
 **		av -- arguments to interpolate into buf.
 **
 **	Returns:
-**		Pointer to rewritten result.
+**		Pointer to rewritten result.  This is static data that
+**		should be copied if it is to be saved!
 **
 **	Side Effects:
 **		none.
 */
 
-struct rwbuf
-{
-	int	rwb_len;	/* size of buffer */
-	char	*rwb_buf;	/* ptr to buffer */
-};
-
-struct rwbuf	RwBufs[2];	/* buffers for rewriting output */
-
 char *
 map_rewrite(map, s, slen, av)
 	register MAP *map;
@@ -214,9 +207,10 @@ map_rewrite(map, s, slen, av)
 	register char c;
 	char **avp;
 	register char *ap;
-	register struct rwbuf *rwb;
 	int i;
 	int len;
+	static int buflen = -1;
+	static char *buf = NULL;
 
 	if (tTd(39, 1))
 	{
@@ -231,10 +225,6 @@ map_rewrite(map, s, slen, av)
 		printf("\n");
 	}
 
-	rwb = RwBufs;
-	if (av == NULL)
-		rwb++;
-
 	/* count expected size of output (can safely overestimate) */
 	i = len = slen;
 	if (av != NULL)
@@ -258,16 +248,16 @@ map_rewrite(map, s, slen, av)
 	}
 	if (map->map_app != NULL)
 		len += strlen(map->map_app);
-	if (rwb->rwb_len < ++len)
+	if (buflen < ++len)
 	{
 		/* need to malloc additional space */
-		rwb->rwb_len = len;
-		if (rwb->rwb_buf != NULL)
-			free(rwb->rwb_buf);
-		rwb->rwb_buf = xalloc(rwb->rwb_len);
+		buflen = len;
+		if (buf != NULL)
+			free(buf);
+		buf = xalloc(buflen);
 	}
 
-	bp = rwb->rwb_buf;
+	bp = buf;
 	if (av == NULL)
 	{
 		bcopy(s, bp, slen);
@@ -307,8 +297,8 @@ map_rewrite(map, s, slen, av)
 	else
 		*bp = '\0';
 	if (tTd(39, 1))
-		printf("map_rewrite => %s\n", rwb->rwb_buf);
-	return rwb->rwb_buf;
+		printf("map_rewrite => %s\n", buf);
+	return buf;
 }
 /*
 **  INITMAPS -- initialize for aliasing
diff --git a/usr.sbin/sendmail/src/mci.c b/usr.sbin/sendmail/src/mci.c
index 8160b83..8211a62 100644
--- a/usr.sbin/sendmail/src/mci.c
+++ b/usr.sbin/sendmail/src/mci.c
@@ -33,7 +33,7 @@
  */
 
 #ifndef lint
-static char sccsid[] = "@(#)mci.c	8.13 (Berkeley) 4/12/94";
+static char sccsid[] = "@(#)mci.c	8.14 (Berkeley) 5/15/94";
 #endif /* not lint */
 
 #include "sendmail.h"
@@ -83,18 +83,17 @@ mci_cache(mci)
 	register MCI **mcislot;
 	extern MCI **mci_scan();
 
-	if (MaxMciCache <= 0)
-	{
-		/* we don't support caching */
-		return;
-	}
-
 	/*
 	**  Find the best slot.  This may cause expired connections
 	**  to be closed.
 	*/
 
 	mcislot = mci_scan(mci);
+	if (mcislot == NULL)
+	{
+		/* we don't support caching */
+		return;
+	}
 
 	/* if this is already cached, we are done */
 	if (bitset(MCIF_CACHED, mci->mci_flags))
@@ -136,6 +135,12 @@ mci_scan(savemci)
 	register MCI *mci;
 	register int i;
 
+	if (MaxMciCache <= 0)
+	{
+		/* we don't support caching */
+		return NULL;
+	}
+
 	if (MciCache == NULL)
 	{
 		/* first call */
@@ -267,6 +272,7 @@ mci_get(host, m)
 {
 	register MCI *mci;
 	register STAB *s;
+	extern MCI **mci_scan();
 
 #ifdef DAEMON
 	extern SOCKADDR CurHostAddr;
@@ -276,7 +282,7 @@ mci_get(host, m)
 #endif
 
 	/* clear out any expired connections */
-	mci_scan(NULL);
+	(void) mci_scan(NULL);
 
 	if (m->m_mno < 0)
 		syserr("negative mno %d (%s)", m->m_mno, m->m_name);
diff --git a/usr.sbin/sendmail/src/queue.c b/usr.sbin/sendmail/src/queue.c
index efedb72..897396a 100644
--- a/usr.sbin/sendmail/src/queue.c
+++ b/usr.sbin/sendmail/src/queue.c
@@ -36,9 +36,9 @@
 
 #ifndef lint
 #ifdef QUEUE
-static char sccsid[] = "@(#)queue.c	8.41 (Berkeley) 4/18/94 (with queueing)";
+static char sccsid[] = "@(#)queue.c	8.41.1.1 (Berkeley) 2/10/95 (with queueing)";
 #else
-static char sccsid[] = "@(#)queue.c	8.41 (Berkeley) 4/18/94 (without queueing)";
+static char sccsid[] = "@(#)queue.c	8.41.1.1 (Berkeley) 2/10/95 (without queueing)";
 #endif
 #endif /* not lint */
 
@@ -210,7 +210,7 @@ queueup(e, queueall, announce)
 
 	/* message from envelope, if it exists */
 	if (e->e_message != NULL)
-		fprintf(tfp, "M%s\n", e->e_message);
+		fprintf(tfp, "M%s\n", denlstring(e->e_message));
 
 	/* send various flag bits through */
 	p = buf;
@@ -224,14 +224,14 @@ queueup(e, queueall, announce)
 
 	/* $r and $s and $_ macro values */
 	if ((p = macvalue('r', e)) != NULL)
-		fprintf(tfp, "$r%s\n", p);
+		fprintf(tfp, "$r%s\n", denlstring(p));
 	if ((p = macvalue('s', e)) != NULL)
-		fprintf(tfp, "$s%s\n", p);
+		fprintf(tfp, "$s%s\n", denlstring(p));
 	if ((p = macvalue('_', e)) != NULL)
-		fprintf(tfp, "$_%s\n", p);
+		fprintf(tfp, "$_%s\n", denlstring(p));
 
 	/* output name of sender */
-	fprintf(tfp, "S%s\n", e->e_from.q_paddr);
+	fprintf(tfp, "S%s\n", denlstring(e->e_from.q_paddr));
 
 	/* output list of error recipients */
 	printctladdr(NULL, NULL);
@@ -240,7 +240,7 @@ queueup(e, queueall, announce)
 		if (!bitset(QDONTSEND|QBADADDR, q->q_flags))
 		{
 			printctladdr(q, tfp);
-			fprintf(tfp, "E%s\n", q->q_paddr);
+			fprintf(tfp, "E%s\n", denlstring(q->q_paddr));
 		}
 	}
 
@@ -251,7 +251,7 @@ queueup(e, queueall, announce)
 		    (queueall && !bitset(QDONTSEND|QBADADDR|QSENT, q->q_flags)))
 		{
 			printctladdr(q, tfp);
-			fprintf(tfp, "R%s\n", q->q_paddr);
+			fprintf(tfp, "R%s\n", denlstring(q->q_paddr));
 			if (announce)
 			{
 				e->e_to = q->q_paddr;
@@ -427,7 +427,7 @@ printctladdr(a, tfp)
 	else
 		uname = pw->pw_name;
 
-	fprintf(tfp, "C%s:%s\n", uname, a->q_paddr);
+	fprintf(tfp, "C%s:%s\n", uname, denlstring(a->q_paddr));
 }
 
 /*
diff --git a/usr.sbin/sendmail/src/readcf.c b/usr.sbin/sendmail/src/readcf.c
index bd902c0..11a895b 100644
--- a/usr.sbin/sendmail/src/readcf.c
+++ b/usr.sbin/sendmail/src/readcf.c
@@ -33,7 +33,7 @@
  */
 
 #ifndef lint
-static char sccsid[] = "@(#)readcf.c	8.23 (Berkeley) 3/18/94";
+static char sccsid[] = "@(#)readcf.c	8.23.1.2 (Berkeley) 2/10/95";
 #endif /* not lint */
 
 # include "sendmail.h"
@@ -1300,7 +1300,10 @@ setoption(opt, val, safe, sticky, e)
 		break;
 
 	  case 'M':		/* define macro */
-		define(val[0], newstr(&val[1]), CurEnv);
+		p = newstr(&val[1]);
+		if (!safe)
+			cleanstrcpy(p, p, MAXNAME);
+		define(val[0], p, CurEnv);
 		sticky = FALSE;
 		break;
 
diff --git a/usr.sbin/sendmail/src/recipient.c b/usr.sbin/sendmail/src/recipient.c
index c6c15c4..0820e60 100644
--- a/usr.sbin/sendmail/src/recipient.c
+++ b/usr.sbin/sendmail/src/recipient.c
@@ -33,7 +33,7 @@
  */
 
 #ifndef lint
-static char sccsid[] = "@(#)recipient.c	8.44 (Berkeley) 2/28/94";
+static char sccsid[] = "@(#)recipient.c	8.44.1.4 (Berkeley) 2/20/95";
 #endif /* not lint */
 
 # include "sendmail.h"
@@ -75,7 +75,10 @@ sendtolist(list, ctladdr, sendq, e)
 	bool firstone;		/* set on first address sent */
 	char delimiter;		/* the address delimiter */
 	int naddrs;
+	int i;
 	char *oldto = e->e_to;
+	char *bufp;
+	char buf[MAXNAME + 1];
 
 	if (list == NULL)
 	{
@@ -102,7 +105,15 @@ sendtolist(list, ctladdr, sendq, e)
 	al = NULL;
 	naddrs = 0;
 
-	for (p = list; *p != '\0'; )
+	/* make sure we have enough space to copy the string */
+	i = strlen(list) + 1;
+	if (i <= sizeof buf)
+		bufp = buf;
+	else
+		bufp = xalloc(i);
+	strcpy(bufp, denlstring(list));
+
+	for (p = bufp; *p != '\0'; )
 	{
 		auto char *delimptr;
 		register ADDRESS *a;
@@ -143,6 +154,8 @@ sendtolist(list, ctladdr, sendq, e)
 	}
 
 	e->e_to = oldto;
+	if (bufp != buf)
+		free(bufp);
 	return (naddrs);
 }
 /*
diff --git a/usr.sbin/sendmail/src/savemail.c b/usr.sbin/sendmail/src/savemail.c
index 6467def..214dca5 100644
--- a/usr.sbin/sendmail/src/savemail.c
+++ b/usr.sbin/sendmail/src/savemail.c
@@ -33,7 +33,7 @@
  */
 
 #ifndef lint
-static char sccsid[] = "@(#)savemail.c	8.28 (Berkeley) 3/11/94";
+static char sccsid[] = "@(#)savemail.c	8.29 (Berkeley) 5/10/94";
 #endif /* not lint */
 
 # include "sendmail.h"
@@ -521,7 +521,7 @@ returntosender(msg, returnq, sendbody, e)
 			e->e_id, ee->e_id, msg);
 # endif
 
-	(void) sprintf(buf, "Returned mail: %s", msg);
+	(void) sprintf(buf, "Returned mail: %.*s", sizeof buf - 20, msg);
 	addheader("Subject", buf, ee);
 	if (SendMIMEErrors)
 	{
diff --git a/usr.sbin/sendmail/src/sendmail.h b/usr.sbin/sendmail/src/sendmail.h
index 4a42b2c..0139f0e 100644
--- a/usr.sbin/sendmail/src/sendmail.h
+++ b/usr.sbin/sendmail/src/sendmail.h
@@ -31,7 +31,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	@(#)sendmail.h	8.43 (Berkeley) 4/14/94
+ *	@(#)sendmail.h	8.43.1.1 (Berkeley) 2/10/95
  */
 
 /*
@@ -41,7 +41,7 @@
 # ifdef _DEFINE
 # define EXTERN
 # ifndef lint
-static char SmailSccsId[] =	"@(#)sendmail.h	8.43		4/14/94";
+static char SmailSccsId[] =	"@(#)sendmail.h	8.43.1.1		2/10/95";
 # endif
 # else /*  _DEFINE */
 # define EXTERN extern
@@ -956,6 +956,7 @@ extern sigfunc_t	setsignal __P((int, sigfunc_t));
 extern char		*shortenstring __P((char *, int));
 extern bool		usershellok __P((char *));
 extern void		commaize __P((HDR *, char *, int, MCI *, ENVELOPE *));
+extern char		*denlstring __P((char *));
 
 /* ellipsis is a different case though */
 #ifdef __STDC__
diff --git a/usr.sbin/sendmail/src/util.c b/usr.sbin/sendmail/src/util.c
index 10b3fb4..0e68673 100644
--- a/usr.sbin/sendmail/src/util.c
+++ b/usr.sbin/sendmail/src/util.c
@@ -33,7 +33,7 @@
  */
 
 #ifndef lint
-static char sccsid[] = "@(#)util.c	8.39 (Berkeley) 4/14/94";
+static char sccsid[] = "@(#)util.c	8.39.1.2 (Berkeley) 2/10/95";
 #endif /* not lint */
 
 # include "sendmail.h"
@@ -1465,3 +1465,83 @@ shortenstring(s, m)
 	strcpy(buf + m + 3, s + l - m);
 	return buf;
 }
+/*
+**  CLEANSTRCPY -- copy string keeping out bogus characters
+**
+**	Parameters:
+**		t -- "to" string.
+**		f -- "from" string.
+**		l -- length of space available in "to" string.
+**
+**	Returns:
+**		none.
+*/
+
+void
+cleanstrcpy(t, f, l)
+	register char *t;
+	register char *f;
+	int l;
+{
+#ifdef LOG
+	/* check for newlines and log if necessary */
+	(void) denlstring(f);
+#endif
+
+	l--;
+	while (l > 0 && *f != '\0')
+	{
+		if (isascii(*f) &&
+		    (isalnum(*f) || strchr("!#$%&'*+-./^_`{|}~", *f) != NULL))
+		{
+			l--;
+			*t++ = *f;
+		}
+		f++;
+	}
+	*t = '\0';
+}
+/*
+**  DENLSTRING -- convert newlines in a string to spaces
+**
+**	Parameters:
+**		s -- the input string
+**
+**	Returns:
+**		A pointer to a version of the string with newlines
+**		mapped to spaces.  This should be copied.
+*/
+
+char *
+denlstring(s)
+	char *s;
+{
+	register char *p;
+	int l;
+	static char *bp = NULL;
+	static int bl = 0;
+
+	if (strchr(s, '\n') == NULL)
+		return s;
+
+	l = strlen(s) + 1;
+	if (bl < l)
+	{
+		/* allocate more space */
+		if (bp != NULL)
+			free(bp);
+		bp = xalloc(l);
+		bl = l;
+	}
+	strcpy(bp, s);
+	for (p = bp; (p = strchr(p, '\n')) != NULL; )
+		*p++ = ' ';
+
+#ifdef LOG
+	p = macvalue('_', CurEnv);
+	syslog(LOG_ALERT, "POSSIBLE ATTACK from %s: newline in string \"%s\"",
+		p == NULL ? "[UNKNOWN]" : p, bp);
+#endif
+
+	return bp;
+}
diff --git a/usr.sbin/sendmail/src/version.c b/usr.sbin/sendmail/src/version.c
index fa3c31a..25ed8c0 100644
--- a/usr.sbin/sendmail/src/version.c
+++ b/usr.sbin/sendmail/src/version.c
@@ -33,7 +33,7 @@
  */
 
 #ifndef lint
-static char sccsid[] = "@(#)version.c	8.6.9.1 (Berkeley) 4/18/94";
+static char sccsid[] = "@(#)version.c	8.6.10.1 (Berkeley) 2/7/95";
 #endif /* not lint */
 
-char	Version[] = "8.6.9";
+char	Version[] = "8.6.10";