On Wed, Oct 11, 2000 at 09:47:08PM +0200, Erik Sjoelund wrote:
> It looks strange in qmail-local.c as of qmail 1.03
>
> line 648 in qmail-local.c is written
> while ((k > i) && (cmds.s[k - 1] == ' ') || (cmds.s[k - 1] ==
> '\t'))
> cmds.s[--k] = 0;
>
>
> Because && has higher precedence than ||,
> I suppose that was meant to be written was
>
> while ((k > i) && ((cmds.s[k - 1] == ' ') || (cmds.s[k - 1] ==
> '\t')))
> cmds.s[--k] = 0;
>
> this could lead to strange behaviour for a .qmail starting
> with just tabs followed by a newline. As strange behaviour I
> mean referencing the array with index -1
Actually, yes. You can make it read -1, but not with tabs. It will only
read -1 when the line consists of *just* a \n.
Exception: if you can arrange for the string in memory that contains the
.qmail file contents to be prepended *immediately* with one or more
tabs, it will actually read more than -1, -2 and so on, and these will
be overwritten with 0-bytes. Wouldn't know how to fix this tho.
It's a bug, and it's an overflow-like one, but it doesn't seem
exploitable just now. Scares the shit out of me nonetheless.
Greetz, Peter
--
dataloss networks
'/ignore-ance is bliss' - me
