Bug#435735: NMU proposal for postfix-policyd

Fri, 10 Aug 2007 02:48:10 -0700 

Hi

Attached you will find an NMU patch to fix this security issue.
Please include this patch in your next upload, or if you are busy, please give 
me permission to go ahead and upload this NMU.

Cheers
Steffen

diff -u postfix-policyd-1.80/debian/changelog postfix-policyd-1.80/debian/changelog
--- postfix-policyd-1.80/debian/changelog
+++ postfix-policyd-1.80/debian/changelog
@@ -1,3 +1,13 @@
+postfix-policyd (1.80-2.2) unstable; urgency=high
+
+  * Non-maintainer upload
+  * Fix buffer overflow in the w_read function in sockets.c to avoid
+    possible DoS and execution of arbitary code via long SMTP commands
+    (apply directly, because no patch system is used so far)
+    (Closes: #435735) Fixes: CVE-2007-3791
+
+ -- Steffen Joeris <[EMAIL PROTECTED]>  Wed, 08 Aug 2007 14:49:16 +0000
+
 postfix-policyd (1.80-2.1) unstable; urgency=medium
 
   * Non-maintainer upload.
only in patch2:
unchanged:
--- postfix-policyd-1.80.orig/policyd.h
+++ postfix-policyd-1.80/policyd.h
@@ -221,7 +221,7 @@
   int    cidr_ip_match (unsigned long ip, char *range);
   pid_t w_fork(void);
 const char *w_inet_ntop(int family, const void *addrptr, char *strptr, size_t len);
- ssize_t w_read(unsigned int fd, char *ptr);
+ ssize_t w_read(unsigned int fd, char *ptr, size_t max_size);
  ssize_t w_write(unsigned int fd, const void *vbuf);
  ssize_t f_write(unsigned int volatile fd, const void *vptr, size_t n);
  void w_close(unsigned int fd);
only in patch2:
unchanged:
--- postfix-policyd-1.80.orig/sockets.c
+++ postfix-policyd-1.80/sockets.c
@@ -147,7 +147,7 @@
  *   return: number bytes read
  */ 
 ssize_t
-w_read(unsigned int fd, char *ptr)
+w_read(unsigned int fd, char *ptr, size_t max_size)
 {       
   ssize_t  n;
   size_t   data_read = 0;                                    /* for debug only */
@@ -159,6 +159,15 @@
     buf_counter[fd]++;
     buf_size[fd]++;
 
+    /* check if we've reached the end of the buffer */
+    if (buf_counter[fd] >= max_size)
+    {
+      if (DEBUG > 2)
+      logmessage("DEBUG: fd: %d reached end of buffer, aborting\n", fd);
+      
+      return -3;
+    }
+
     /* need at least 2 bytes to check against */
     if (buf_counter[fd] > 2)
     {
only in patch2:
unchanged:
--- postfix-policyd-1.80.orig/policyd.c
+++ postfix-policyd-1.80/policyd.c
@@ -216,7 +216,7 @@
           logmessage("DEBUG: fd: %d select(): fd %d is ready for read\n", sockfd, sockfd);
      
         /* read as much data as we can */
-	rres = w_read(sockfd,buf[sockfd]);
+	rres = w_read(sockfd,buf[sockfd],MAXLINE);
 	switch (rres)
 	{
 	  case -1:

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to