Shin-ichi Nagamura,
> I found problems that overrun buffer when reading from socket in
> amavis-milter.c.
>
> I'm using amavisd and amavis-milter following environment.
>
> $ uname -mrs
> FreeBSD 7.0-STABLE amd64
> $ amavisd -V
> amavisd-new-2.6.0 (20080423)
> $ sendmail -d0,1
> Version 8.14.2
>
> I installed amavisd-new from FreeBSD port system
> (security/amavisd-new: amavisd-new-2.6.0_1,1).
>
> and I use amavis-milter with sendmail via milter.
>
> ### Abstrct ###
>
> The sendmail sometimes can not receives email via smtp and submission,
> because the amavis-milter sometimes returns TEMPFAIL.
>
>
> ### Description ###
>
> The amavisd sends return value "0", and The amavis-milter receives it.
> But the amavis-milter doesn't add and check null-terminator. therefore,
> it will read a return value added undefined-value using atoi().
>
> I don't know whether the send() function should add null terminator in
> perl specification. but perl in the my environment does not add null
> terminater when sending data. therefore the amavisd send "0" as success
> value, but amavis-milter does not understand as success.
>
> I think that the receiver should support unexpected value.
Oops, an ugly bug indeed, letting atoi deal with uninitialized value.
This patch should get it right I believe:
--- amavis-milter.c~ 2004-07-02 16:44:26.000000000 +0200
+++ amavis-milter.c 2008-06-27 15:31:45.000000000 +0200
@@ -755,4 +755,5 @@
} else {
/* get result from amavisd */
+ memset(buff, 0, sizeof *buff);
r = recv(sock, buff, 6, 0);
amavis_syslog(DBG_DEBUG, "%s: (mlfi_eom) received %s from daemon",
sendmail_queueid, buff);
> I attached patch for this problem.
This mailing list is stripping off all attachments.
Btw, I believe that hardly anyone is still using the amavis-milter
which comes with the package. Most sendmail users are nowadays
using Petr Rehor's http://sourceforge.net/projects/amavisd-milter/,
which is also in FreeBSD ports: security/amavisd-milter.
Thanks a lot for the problem report!
Mark
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
AMaViS-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/amavis-user
AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/howto/
