Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: And another qpopper overflow (does this make 3?)
From: agifford () INFOWEST COM (Aaron D. Gifford)
Date: Sun, 28 Jun 1998 14:28:21 -0600


Sorry,

I misread Miquel's post.  This was the overrun Miquel already mentioned.
However, limiting the UIDL to 128 in length does not completely fix it, since
a huge From: header could still cause an overrun.  Either way, I think the
solution is to limit uidl_str size AND reduce the size of the buffer in the
from_hdr() function from pop_uidl.c (as well as make the buffer static -- it
sure seems to me like it should be).

Here's what I chose to do instead of truncating uidl_str to 128 in
pop_dropcopy.c:

*** work/qpopper2.41beta1/pop_dropcopy.c        Sun Jun 28 12:58:14 1998
--- work2/qpopper2.41beta1/pop_dropcopy.c       Sun Jun 28 13:07:47 1998
*************** POP *p;
*** 489,495 ****
                    /* Skip over header string */
                    cp = &buffer[7];
                      while (*cp && (*cp == ' ' || *cp == '\t')) cp++;
!                     if(strlen(cp) < DIG_SIZE) /* To account for the empty
UIDL string */
                      {
                          uidl_found--; /*roll over as though it hasn't seen
anything*/
                          continue;
--- 489,501 ----
                    /* Skip over header string */
                    cp = &buffer[7];
                      while (*cp && (*cp == ' ' || *cp == '\t')) cp++;
!                     /*
!                      * The UIDL digest SHOULD be approx. 32 chars long,
!                      * so reject/skip any X-UIDL: lines that don't fit
!                      * this profile.  A new X-UIDL: line will be created
!                      * for any messages that don't have a valid one.
!                      */
!                     if(strlen(cp) < DIG_SIZE || strlen(cp) > DIG_SIZE * 3)
                      {
                          uidl_found--; /*roll over as though it hasn't seen
anything*/
                          continue;


And then to fix the possibility of a From: header overrunning things in
pop_uidl.c during an EUIDL command from the POP client:

*** work/qpopper2.41beta1/pop_uidl.c    Wed Nov 19 14:20:38 1997
--- work2/qpopper2.41beta1/pop_uidl.c   Sun Jun 28 13:09:56 1998
*************** from_hdr(p, mp)
*** 101,107 ****
       POP         *p;
       MsgInfoList *mp;
  {
!   char buf[MAXLINELEN], *cp;

      fseek(p->drop, mp->offset, 0);
      while (fgets(buf, sizeof(buf), p->drop) != NULL) {
--- 101,112 ----
       POP         *p;
       MsgInfoList *mp;
  {
!   /*
!    * Shorten this buffer so that an extra-long From: header
!    * won't overflow the buffers in the pop_euidl() where
!    * this function is called.  128 should be sufficient.
!    */
!   static char buf[MAXLINELEN - 128], *cp;

      fseek(p->drop, mp->offset, 0);
      while (fgets(buf, sizeof(buf), p->drop) != NULL) {




Aaron out.



  By Date           By Thread  

Current thread:
  • Re: And another qpopper overflow (does this make 3?) Aaron D. Gifford (Jun 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault