On Tue, May 17, 2011 at 5:40 PM, John R. Levine <[email protected]> wrote: >> How can: >> >> log_write(0, LOG_MAIN, (char *)logmsg) >> >> be used to arbitrarily inject code? I understand the concept, but >> having % in the logmsg with no parameters to feed it seems harmless to >> me. > > It took random junk off the stack which presumably overflowed a buffer. > > I found it because one of my users (someone you know)
yes, a certain Canadian. > was complaining that > all of the mail he sent to a site that uses Exim was disappearing. I got > them to look at the logs and found they were logging the DKIM signatures and > then barfing. > > See http://bugs.exim.org/show_bug.cgi?id=1106 yep, I saw that. > Passing an unchecked string as a printf format is an ancient unix bug. Ah, so vargs type stuff. Still, I'll have to run it through a debugger myself to understand. I would think one would have a loop of some sort. I would of thought if there were no args it would just end. (oh, I see Hector has some input too) -- Jeff Macdonald Ayer, MA _______________________________________________ dkim-ops mailing list [email protected] http://mipassoc.org/mailman/listinfo/dkim-ops
