[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] Re: Lame crash in qmail-smtpd

To: Georgi Guninski <guninski@guninski.com>
Subject: [Full-Disclosure] Re: Lame crash in qmail-smtpd
From: David Jez <dave.jez@seznam.cz>
Date: Tue, 20 Jan 2004 09:16:43 +0100

  Hello guys

> [...]
>
> The problem is in:
> void blast(hops)
> int *hops;
> ...
> int pos; /* number of bytes since most recent \n, if fih */
> ...
>    if (pos < 9) {
>         if (ch != "delivered"[pos]) if (ch != "DELIVERED"[pos])
> flagmaybez = 0; ...
> ++pos;
> ...

  I think this isn't serious security problem because generally this kind
of overflow (nondeterministic, noncontrolled random read from
random address) is not exploitable. This can be only "logical
bug". I think that best fix is following patch (or die with another
funny message like go away, etc.).

  Regards,
-- 
-------------------------------------------------------
  David "Dave" Jez                Brno, CZ, Europe
 E-mail: dave.jez@seznam.cz
PGP key: finger xjezda00@eva.fit.vutbr.cz
---------=[ ~EOF ]=------------------------------------

--- qmail-smtpd.c.orig  Tue Jan 20 06:35:18 2004
+++ qmail-smtpd.c       Tue Jan 20 06:43:03 2004
@@ -318,6 +318,7 @@
         if (flagmaybey) if (pos == 1) flaginheader = 0;
       }
       ++pos;
+      if (pos < 0) die_nomem();
       if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; }
     }
     switch(state) {

Follow-Ups:
- Re: [Full-Disclosure] Re: Lame crash in qmail-smtpd
  - From: Jedi/Sector One <j@pureftpd.org>

Prev by Date: Re: [Full-Disclosure] Fix the broken windows by building a wall PLUS a question on encrypted file systems
Next by Date: Re: [Full-Disclosure] Nortons Liveupdate - problem?
Previous by thread: Re: [Full-Disclosure] local SYSTEM on Windows vs. local root on Unix
Next by thread: Re: [Full-Disclosure] Re: Lame crash in qmail-smtpd
Index(es):
- Date
- Thread