CVE-2021-34555: Fix multi-value From rejection logic

[glts]

This change fixes the broken reject logic when a multi-value From header field is detected. It also adds a guard against deref of NULL domains (CVE-2021-34555, see #179).

It includes an unrelated addition, namely the missing if-guard before the syslog call, as is done elsewhere in this function.

This fixes #175.
This fixes #179.

[glts]

This should fix the crash (DoS vuln) reported in #179. Please review and modify/merge.

I understand that you don’t have the resources to maintain this project. Still, if you can find half an hour to look this over and comment on it we can apply the patch in distros.

[glts]

We have applied this patch in Debian.

[thegushi]

I'll get this applied to a branch in the next day or so.

[mskucherawy]

The patch contains a redundant check for "domains[0] != NULL" on new line 2477; this is already tested on line 2468.

There's a deeper problem here, which is that the caller doesn't actually know how far into that array it needs to go. The "domains" array could be 10 entries long, but with a NULL in the middle, which will short-circuit further checks.

[glts]

The maintainers claim that this is fixed 1.4.2, closing.