On Mon, Oct 05, 2015 at 02:15:55PM +1300, Holger Jahn wrote:
> Hi there,
>
> After playing with MDA delivery in smtpd.conf on two servers, I found that
> there seems to be an internal command line buffer overflow after 256 bytes.
>
> Consider the following MDA config setting:
>
> deliver to mda "echo '%{sender}' '%{sender.user}' '%{sender.domain}' %{rcpt}
> '%{rcpt.user}' '%{rcpt.domain}' '%{dest}' '%{dest.user}' '%{dest.domain}'
> '%{user.username}' '%{user.directory}' >> /tmp/mX-cmd.tmp"
>
> However, all that will be executed is this part:
>
> echo '%{sender}' '%{sender.user}' '%{sender.domain}' %{rcpt} '%{rcpt.user}'
> '%{rcpt.domain}' '%{dest}' '%{dest.user}' '%{dest.domain}'
> '%{user.username}' '%{user.directory}' >> /tmp/mX
>
> i.e. there will be a file with the crippled name "/tmp/mX" after triggering
> the MDA command.
>
> Since I had a similar MDA command set up on another machine that worked, I
> figured that the buffer overflow must be happening AFTER format specifier
> expansion. When I filled in the values by hand I ended up with the magical
> number of 256 after which my command execution was clipped.
>
> So, here is my question, is this a feature or a bug? ;-)
>
This looks like a truncation in the forward expansion code, it should have
caused the mail to be rejected, I'll have a look today.
Can you tell me which version you are using ?
--
Gilles Chehade
https://www.poolp.org @poolpOrg
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
