Dinesh Nair wrote:
On Mon, 19 Jan 2004, Anton Alin-Adrian wrote:Please look in the thread, I already posted:
http://www.guninski.com/qmailcrash.htmlRegarding latest qmail vulnerability, I coded this quickly patch. Please double-check me if I am wrong here. Forward this to freebsd-security please. 320c320 < ++pos; ---
if (pos>9) ++pos;
woulnd't it be better to switch pos from an int to a u_int ? or do specific bounds checking before incrementing pos ? this patch seems to _only_ increment pos if it's > 9, and reading the code will show you where you're going to get into some problems. :)
Regards, /\_/\ "All dogs go to heaven." [EMAIL PROTECTED] (0 0) http://www.alphaque.com/ +==========================----oOO--(_)--OOo----==========================+ | for a in past present future; do | | for b in clients employers associates relatives neighbours pets; do | | echo "The opinions here in no way reflect the opinions of my $a $b." | | done; done | +=========================================================================+
--- qmail-smtpd.c Mon Jun 15 13:53:16 1998
+++ qmail-smtpd-patched.c Mon Jan 19 15:22:23 2004
@@ -316,8 +316,8 @@
if (flagmaybex) if (pos == 7) ++*hops;
if (pos < 2) if (ch != "\r\n"[pos]) flagmaybey = 0;
if (flagmaybey) if (pos == 1) flaginheader = 0;
+ ++pos;
}
- ++pos;
if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; }
}
switch(state) {
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
