[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040120081643.GA12674@stud.fit.vutbr.cz>
From: dave.jez at seznam.cz (David Jez)
Subject: Re: Lame crash in qmail-smtpd
Hello guys
> [...]
>
> The problem is in:
> void blast(hops)
> int *hops;
> ...
> int pos; /* number of bytes since most recent \n, if fih */
> ...
> if (pos < 9) {
> if (ch != "delivered"[pos]) if (ch != "DELIVERED"[pos])
> flagmaybez = 0; ...
> ++pos;
> ...
I think this isn't serious security problem because generally this kind
of overflow (nondeterministic, noncontrolled random read from
random address) is not exploitable. This can be only "logical
bug". I think that best fix is following patch (or die with another
funny message like go away, etc.).
Regards,
--
-------------------------------------------------------
David "Dave" Jez Brno, CZ, Europe
E-mail: dave.jez@...nam.cz
PGP key: finger xjezda00@....fit.vutbr.cz
---------=[ ~EOF ]=------------------------------------
-------------- next part --------------
--- qmail-smtpd.c.orig Tue Jan 20 06:35:18 2004
+++ qmail-smtpd.c Tue Jan 20 06:43:03 2004
@@ -318,6 +318,7 @@
if (flagmaybey) if (pos == 1) flaginheader = 0;
}
++pos;
+ if (pos < 0) die_nomem();
if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; }
}
switch(state) {
Powered by blists - more mailing lists