Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Buffer overflow in qmail-qmtpd, yet still qmail much better than windows
From: Russell Nelson <nelson () crynwr com>
Date: Wed, 3 Mar 2004 12:02:24 -0500

Bruno Wolff III writes:
RELAYCLIENT needs to be set by a trusted user in the first place, so if
you are getting bad values for RELAYCLIENT you have other problems.

That's not the problem.  It's not the value of RELAYCLIENT, it's the
length of it.  The problem is that len can get set to a very large
value which reduces rather than increases the value of the LHS of the
following comparison:

if (len + relayclientlen >= 1000) 

You could fix it in a manner closer to what djb intended by making the
code look like this:

   for (;;) {
     substdio_get(&ssin,&ch,1);
     if (ch == ':') return len;
-    if (len > 200000000) resources();
     len = 10 * len + (ch - '0');
+    if (len > 200000000) resources();
   }

@@ -193,8 +193,8 @@
         substdio_get(&ssin,&ch,1);
         --biglen;
         if (ch == ':') break;
-        if (len > 200000000) resources();
         len = 10 * len + (ch - '0');
+        if (len > 200000000) resources();
       }

The work-around is not to set RELAYCLIENT.  Since it's extremely
unlikely that anybody is setting it in the first place, this bug
should have no operational consequences.

-- 
--My blog is at angry-economist.russnelson.com  | I'm giving a short
Crynwr sells support for free software  | PGPok | talk at WTF, Isen's
521 Pleasant Valley Rd. | +1 315 268 1925 voice | stupid net conference:
Potsdam, NY 13676-3213  | FWD# 404529 via VOIP  | http://stupidnet.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault