Full Disclosure mailing list archives

Re: Lame crash in qmail-smtpd

From: David Jez <dave.jez () seznam cz>
Date: Tue, 20 Jan 2004 09:16:43 +0100

  Hello guys

[...]

The problem is in:
void blast(hops)
int *hops;
...
int pos; /* number of bytes since most recent \n, if fih */
...
   if (pos < 9) {
        if (ch != "delivered"[pos]) if (ch != "DELIVERED"[pos])
flagmaybez = 0; ...
++pos;
...


  I think this isn't serious security problem because generally this kind
of overflow (nondeterministic, noncontrolled random read from
random address) is not exploitable. This can be only "logical
bug". I think that best fix is following patch (or die with another
funny message like go away, etc.).

  Regards,
-- 
-------------------------------------------------------
  David "Dave" Jez                Brno, CZ, Europe
 E-mail: dave.jez () seznam cz
PGP key: finger xjezda00 () eva fit vutbr cz
---------=[ ~EOF ]=------------------------------------

Attachment: qmail-1.03-hops-fix.diff
Description:

Current thread:

Re: Lame crash in qmail-smtpd David Jez (Jan 20)
- Re: Re: Lame crash in qmail-smtpd Jedi/Sector One (Jan 20)