On Mon, Oct 05, 2015 at 12:38:50AM +0200, Jason A. Donenfeld wrote:
> Hi folks,
>
> I'm passing the gauntlet for anyone who wants to analyze this for
> impact etc. There's a remotely triggerable buffer overflow in
> OpenBSD's OpenSMTPD -- the latest version, 5.7.2 -- reachable by
> sending messages with huge header lines. Qualys recently published a
> result of a big audit, but it seems like they based their
> investigations primarily on an older version of OpenSMTPD that didn't
> have as much of the "filter" infrastructure. I'd recommend interested
> parties spend some time looking through the filter code, as there
> could be more problems. Here's a vulnerability in the filter io path:
>
This affects the 5.7.x branch, we'll publish a fixed release shortly.
Here's the diff to fix the issue until we've prepared the release.
diff --git a/smtpd/filter.c b/smtpd/filter.c
index 062f00f..8af6eab 100644
--- a/smtpd/filter.c
+++ b/smtpd/filter.c
@@ -726,7 +726,6 @@ filter_tx_io(struct io *io, int evt)
struct filter_session *s = io->arg;
size_t len, n;
char *data;
- char buf[65535];
log_trace(TRACE_FILTERS, "filter: filter_tx_io(%p, %s)", s,
io_strevent(evt));
@@ -734,10 +733,9 @@ filter_tx_io(struct io *io, int evt)
case IO_DATAIN:
data = iobuf_data(&s->ibuf);
len = iobuf_len(&s->ibuf);
- memmove(buf, data, len);
- buf[len] = 0;
- log_trace(TRACE_FILTERS, "filter: filter_tx_io: datain (%zu)
for req %016"PRIx64": %s",
- len, s->id, buf);
+
+ log_trace(TRACE_FILTERS, "filter: filter_tx_io: datain (%zu)
for req %016"PRIx64"",
+ len, s->id);
n = fwrite(data, 1, len, s->ofile);
if (n != len) {
--
Gilles Chehade
https://www.poolp.org @poolpOrg
--
You received this mail because you are subscribed to [email protected]
To unsubscribe, send a mail to: [email protected]
