Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Buffer overflow in qmail-qmtpd, yet still qmail much better than windows

From: Russell Nelson <nelson () crynwr com>
Date: Wed, 3 Mar 2004 12:02:24 -0500
Bruno Wolff III writes:

RELAYCLIENT needs to be set by a trusted user in the first place, so if
you are getting bad values for RELAYCLIENT you have other problems.


That's not the problem.  It's not the value of RELAYCLIENT, it's the
length of it.  The problem is that len can get set to a very large
value which reduces rather than increases the value of the LHS of the
following comparison:


if (len + relayclientlen >= 1000) 


You could fix it in a manner closer to what djb intended by making the
code look like this:


   for (;;) {
     substdio_get(&ssin,&ch,1);
     if (ch == ':') return len;
-    if (len > 200000000) resources();
     len = 10 * len + (ch - '0');
+    if (len > 200000000) resources();
   }



@@ -193,8 +193,8 @@
         substdio_get(&ssin,&ch,1);
         --biglen;
         if (ch == ':') break;
-        if (len > 200000000) resources();
         len = 10 * len + (ch - '0');
+        if (len > 200000000) resources();
       }


The work-around is not to set RELAYCLIENT.  Since it's extremely
unlikely that anybody is setting it in the first place, this bug
should have no operational consequences.

-- 
--My blog is at angry-economist.russnelson.com  | I'm giving a short
Crynwr sells support for free software  | PGPok | talk at WTF, Isen's
521 Pleasant Valley Rd. | +1 315 268 1925 voice | stupid net conference:
Potsdam, NY 13676-3213  | FWD# 404529 via VOIP  | http://stupidnet.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: