Georgi Guninski has posted a way to bufferoverflow qmail-qmtpd.c.
Currently it is not proven that this can be used for a succesful attack
but better be save. So here is a patch.
--
:wq Claudio
Index: qmail-qmtpd.c
===================================================================
RCS file: /home/cvs-djbware/CVS/qmail-ldap/qmail-qmtpd.c,v
retrieving revision 1.5
diff -u -p -r1.5 qmail-qmtpd.c
--- qmail-qmtpd.c 29 Jan 2004 15:03:15 -0000 1.5
+++ qmail-qmtpd.c 3 Mar 2004 16:11:57 -0000
@@ -46,8 +46,9 @@ unsigned long getlen(void)
char ch;
for (;;) {
substdio_get(&ssin,&ch,1);
- if (ch == ':') return len;
if (len > 200000000) resources();
+ if (ch == ':') return len;
+ if (ch < '0' || ch > '9') badproto();
len = 10 * len + (ch - '0');
}
}
