| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: nelson at crynwr.com (Russell Nelson)
Subject: Buffer overflow in qmail-qmtpd, yet still qmail much better than windows
Bruno Wolff III writes:
> RELAYCLIENT needs to be set by a trusted user in the first place, so if
> you are getting bad values for RELAYCLIENT you have other problems.
That's not the problem. It's not the value of RELAYCLIENT, it's the
length of it. The problem is that len can get set to a very large
value which reduces rather than increases the value of the LHS of the
following comparison:
> > if (len + relayclientlen >= 1000)
You could fix it in a manner closer to what djb intended by making the
code look like this:
> > for (;;) {
> > substdio_get(&ssin,&ch,1);
> > if (ch == ':') return len;
> > - if (len > 200000000) resources();
> > len = 10 * len + (ch - '0');
> > + if (len > 200000000) resources();
> > }
> > @@ -193,8 +193,8 @@
> > substdio_get(&ssin,&ch,1);
> > --biglen;
> > if (ch == ':') break;
> > - if (len > 200000000) resources();
> > len = 10 * len + (ch - '0');
> > + if (len > 200000000) resources();
> > }
The work-around is not to set RELAYCLIENT. Since it's extremely
unlikely that anybody is setting it in the first place, this bug
should have no operational consequences.
--
--My blog is at angry-economist.russnelson.com | I'm giving a short
Crynwr sells support for free software | PGPok | talk at WTF, Isen's
521 Pleasant Valley Rd. | +1 315 268 1925 voice | stupid net conference:
Potsdam, NY 13676-3213 | FWD# 404529 via VOIP | http://stupidnet.com
Powered by blists - more mailing lists