On Wed, Mar 03, 2004 at 05:09:29PM +0100, Claudio Jeker wrote:
> Georgi Guninski has posted a way to bufferoverflow qmail-qmtpd.c.
> Currently it is not proven that this can be used for a succesful attack
> but better be save. So here is a patch.
>
getlen() is also used in qmail-qmqpd.c (which is used for cluster
forwards). I don't know if it is possible to do anything bad with it but
again better be save. Remeber qmail-qmqpd is normaly restricted to the
cluster servers with a tcprules file so the attack has to come form one of
your other mail servers.
Also the buffer overflow of Georgi Guninski needs a non empty RELAYCLIENT
which is definitivly non standard.
--
:wq Claudio
Index: qmail-qmqpd.c
===================================================================
RCS file: /home/cvs-djbware/CVS/qmail-ldap/qmail-qmqpd.c,v
retrieving revision 1.11
diff -u -r1.11 qmail-qmqpd.c
--- qmail-qmqpd.c 29 Jan 2004 15:03:15 -0000 1.11
+++ qmail-qmqpd.c 3 Mar 2004 19:28:17 -0000
@@ -66,6 +66,7 @@
#endif
void resources() { _exit(111); }
+void badproto() { _exit(100); }
int safewrite(int fd, void *buf, int len)
{
@@ -152,8 +153,9 @@
for (;;) {
getbyte(&ch);
- if (ch == ':') return len;
if (len > 200000000) resources();
+ if (ch == ':') return len;
+ if (ch < '0' || ch > '9') badproto();
len = 10 * len + (ch - '0');
}
}
@@ -162,7 +164,7 @@
{
char ch;
getbyte(&ch);
- if (ch != ',') _exit(100);
+ if (ch != ',') badproto();
}
struct qmail qq;
