lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040120081643.GA12674@stud.fit.vutbr.cz>
From: dave.jez at seznam.cz (David Jez)
Subject: Re: Lame crash in qmail-smtpd

  Hello guys

> [...]
>
> The problem is in:
> void blast(hops)
> int *hops;
> ...
> int pos; /* number of bytes since most recent \n, if fih */
> ...
>    if (pos < 9) {
>         if (ch != "delivered"[pos]) if (ch != "DELIVERED"[pos])
> flagmaybez = 0; ...
> ++pos;
> ...

  I think this isn't serious security problem because generally this kind
of overflow (nondeterministic, noncontrolled random read from
random address) is not exploitable. This can be only "logical
bug". I think that best fix is following patch (or die with another
funny message like go away, etc.).

  Regards,
-- 
-------------------------------------------------------
  David "Dave" Jez                Brno, CZ, Europe
 E-mail: dave.jez@...nam.cz
PGP key: finger xjezda00@....fit.vutbr.cz
---------=[ ~EOF ]=------------------------------------
-------------- next part --------------
--- qmail-smtpd.c.orig	Tue Jan 20 06:35:18 2004
+++ qmail-smtpd.c	Tue Jan 20 06:43:03 2004
@@ -318,6 +318,7 @@
         if (flagmaybey) if (pos == 1) flaginheader = 0;
       }
       ++pos;
+      if (pos < 0) die_nomem();
       if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; }
     }
     switch(state) {

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ