exim and ip options?

[Magosányi Árpád <mag () BUNUEL TII MATAV HU>]

Hi!

I have found some very interesting code in exim.
(it is at least in 3.12 - 3.20)
src/smtp_in.c, in function smtp_start_session(),
when it handles ip options:

            default:
              {
              int i;
              strcat(p, "[");
              p += 2;
              for (i = 0; i < opt[1]; i++)
                {
                sprintf(p, "%2.2x ", opt[i]);
                p += 3;
                }
              *p++ = ']';
              }
            opt += opt[1];
            break;
            }
          }

p is a pointer (initially) inside a "big" buffer with length of
1024. It seems to be a nice opportunity for a buffer overrun,
minus it is on heap and very limited in the useable opcodes. 
I am not able to write an exploit, or even to confirm
the exploitability of such a code.
Any ideas?

Please cc: me as I am not on the list.

-- 
GNU GPL: csak tiszta forrásból