Re: CPSN 4-970424: Possible buffer overflow in pop3d

[jkatz () CORINNE MAC EDU (J. Joseph Max Katz)]

On Sun, 27 Apr 1997, Derric Scott wrote:

> While I don't profess to be the keeper of BSD POP3d, I have made recent
> changes and made them available.  So....  I took a very quick look and
> changed that "offending" strcpy to a strncpy.  I'll soon put 1.005f
> up on:        ftp://ftp.scott.net/pub/linux/mail

Thank you for the quick response.

> Is this security notice based on an exploit or is it just from examination
> of the code.  My cursory glance indicates that there is no real threat from
> that strcpy because the length of the input has already been checked before

Only upon examination-- I only looked at the code, saw
(strcpy(static_array,char *) and gasped-- and made the release. It looks
as if, within function svr_auth it only gets the input from a 128
character array, then later, subtracts the first four characters out
(deciding if it is USER or PASS or whatever) and then puts that into a
pointer when a different function is called, and then strcpy's it.

>       FUNCTION: svr_auth(state,inbuf), has the "offending" line:
>                       strcpy(cli_user,inbuf);
>       BUT:  svr_auth is called from MAIN with:
>                       svr_state = svr_auth(svr_state,cli_buf);
>       where cli_buf is read previously from stdin with:
>                       if (fgetl(cli_buf,CLI_BUFSIZ,stdin) == NULL)