Watch: mnementh$ gdb ./scan GNU gdb 6.3-debian Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/libthread_db.so.1".
(gdb) run -width 16536 -file /tmp/bad.txt Starting program: /home/pm215/junk/nmh-from-cvs/uip/scan -width 16536 -file /tmp/bad.txt Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () The file in question is available at http://www.chiark.greenend.org.uk/~pmaydell/misc/bad.txt It's got a 16K long From field, all on one line. This would probably be tricky to get through MTAs without something folding it, however: http://www.chiark.greenend.org.uk/~pmaydell/misc/bad2047.txt is a folded From header and also crashes. (The presence of the RFC2047 encoded bit seems to be necessary in the folded case: perhaps there are two overruns...) This seems to have been in nmh for some time: a 1.0.4 I had also exhibits the bug. This would be a remote exploit if you were in the habit of running scan with ludicrously high width parameters. (Not quite so implausible as you might think, since an easy way to get untruncated headers in a script is to run scan with a large -width and look at the result, but 16K is pretty silly even for that.) I think this ought to be fixed for 1.2, but I don't know if I'll have time to investigate before next week. Preliminary investigation suggests that at least one of the problems is decode_rfc2047(), whose API is totally broken since it has to be passed a preallocated buffer but doesn't let the caller specify the length of the buffer... On the bright side, I've now checked in fixes for all the other things I thought needed to be fixed for 1.2... -- PMM _______________________________________________ Nmh-workers mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/nmh-workers
