[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-Disclosure] Buffer overflow in qmail-qmtpd, yet still qmail much better than windows
- To: Georgi Guninski <guninski@xxxxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxx, qmail@xxxxxxxxxxxxx
- Subject: Re: [Full-Disclosure] Buffer overflow in qmail-qmtpd, yet still qmail much better than windows
- From: Russell Nelson <nelson@xxxxxxxxxx>
- Date: Wed, 3 Mar 2004 12:02:24 -0500
Bruno Wolff III writes:
> RELAYCLIENT needs to be set by a trusted user in the first place, so if
> you are getting bad values for RELAYCLIENT you have other problems.
That's not the problem. It's not the value of RELAYCLIENT, it's the
length of it. The problem is that len can get set to a very large
value which reduces rather than increases the value of the LHS of the
following comparison:
> > if (len + relayclientlen >= 1000)
You could fix it in a manner closer to what djb intended by making the
code look like this:
> > for (;;) {
> > substdio_get(&ssin,&ch,1);
> > if (ch == ':') return len;
> > - if (len > 200000000) resources();
> > len = 10 * len + (ch - '0');
> > + if (len > 200000000) resources();
> > }
> > @@ -193,8 +193,8 @@
> > substdio_get(&ssin,&ch,1);
> > --biglen;
> > if (ch == ':') break;
> > - if (len > 200000000) resources();
> > len = 10 * len + (ch - '0');
> > + if (len > 200000000) resources();
> > }
The work-around is not to set RELAYCLIENT. Since it's extremely
unlikely that anybody is setting it in the first place, this bug
should have no operational consequences.
--
--My blog is at angry-economist.russnelson.com | I'm giving a short
Crynwr sells support for free software | PGPok | talk at WTF, Isen's
521 Pleasant Valley Rd. | +1 315 268 1925 voice | stupid net conference:
Potsdam, NY 13676-3213 | FWD# 404529 via VOIP | http://stupidnet.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html