Peter Maydell wrote: >I'm glad I did that, because smhear() appears to have had in it for a decade >completely broken accounting of the space left in the reply buffer in the >case where there's a continuation line from the SMTP server. > >I think this is at least potentially a security hole in that if you connect >to a malicious SMTP server it could send you lines which result in an overrun >of the (global) buffer and (maybe) execution of arbitrary code.
Closer examination of the surrounding code leads me to think that you can't overrun the buffer by more than a few bytes (you can't get to the offending bit of code more than once even in a multi-line SMTP response). So it's not as bad as I'd feared it might be, and I don't think it's exploitable. -- PMM _______________________________________________ Nmh-workers mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/nmh-workers
