lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <16454.4000.476221.401356@desk.crynwr.com>
From: nelson at crynwr.com (Russell Nelson)
Subject: Buffer overflow in qmail-qmtpd, yet still qmail  much  better  than  windows

Bruno Wolff III writes:
 > RELAYCLIENT needs to be set by a trusted user in the first place, so if
 > you are getting bad values for RELAYCLIENT you have other problems.

That's not the problem.  It's not the value of RELAYCLIENT, it's the
length of it.  The problem is that len can get set to a very large
value which reduces rather than increases the value of the LHS of the
following comparison:

 > > if (len + relayclientlen >= 1000) 

You could fix it in a manner closer to what djb intended by making the
code look like this:

 > >    for (;;) {
 > >      substdio_get(&ssin,&ch,1);
 > >      if (ch == ':') return len;
 > > -    if (len > 200000000) resources();
 > >      len = 10 * len + (ch - '0');
 > > +    if (len > 200000000) resources();
 > >    }

 > > @@ -193,8 +193,8 @@
 > >          substdio_get(&ssin,&ch,1);
 > >          --biglen;
 > >          if (ch == ':') break;
 > > -        if (len > 200000000) resources();
 > >          len = 10 * len + (ch - '0');
 > > +        if (len > 200000000) resources();
 > >        }

The work-around is not to set RELAYCLIENT.  Since it's extremely
unlikely that anybody is setting it in the first place, this bug
should have no operational consequences.

-- 
--My blog is at angry-economist.russnelson.com  | I'm giving a short
Crynwr sells support for free software  | PGPok | talk at WTF, Isen's
521 Pleasant Valley Rd. | +1 315 268 1925 voice | stupid net conference:
Potsdam, NY 13676-3213  | FWD# 404529 via VOIP  | http://stupidnet.com


Powered by blists - more mailing lists