Fw: Buffer overflow potential in centerICQ mail handling

["KF" <dotslash () snosoft com>]

----- Original Message -----
From: "KF" <dotslash () snosoft com>
Subject: Buffer overflow potential in centerICQ mail handling

> CenterICQ installed from centericq-4.7.2-3.rh7.rpm or
> centericq-4.7.2.tar.gz has a potential buffer overflow in the mail
handling
> Fix:
> src/hooks/msnhook.cc
>         sprintf(buf, _("+ [msn] e-mail from %s <%s>, %s"),
>             mail->from, mail->fromaddr, mail->subject);
>
>         snprintf(buf, 1023,_("+ [msn] e-mail from %s <%s>, %s"),
>             mail->from, mail->fromaddr, mail->subject);
>
> Info:
>
> Msnhook:: mailed is passed "data"... data.frromaddr combined with
> data.subject can trigger a buffer overflow due to their size being
dynamic.
> void msnhook::mailed(void *data) {
>     MSN_MailNotification *mail = (MSN_MailNotification *) data;
>
>     if(mail->from) {
>         char buf[1024];
>
>         sprintf(buf, _("+ [msn] e-mail from %s <%s>, %s"),
>             mail->from, mail->fromaddr, mail->subject);
> ...
>
> }
>
> The "data" comes from code in ./libmsn-0.1/msn_commands.cc which parses
> an email message and extracts info from the messages in particular the
> "From-Addr" and "Subject" fields which get stuffed into buf which is
> only 1024 chars in length.
> ...
>  else if (strstr(mimeInfo, "text/x-msmsgsemailnotification")) {
>  char *tmp = strstr(im, "From: ") + strlen("From: ");
>  MSN_MailNotification data;
>
>  data.from = tmp;
>  tmp = strstr(data.from, "\r\n"); *tmp = '\0';
>  DecodeMime(data.from);
>  ...
>  data.subject = strstr(tmp + 1, "Subject: ") + strlen("Subject: ");
>  tmp = strstr(data.subject, "\r\n"); *tmp = '\0';
>  DecodeMime(data.subject);
>  ...
>  data.fromaddr = strstr(tmp + 1, "From-Addr: ") + strlen("From-Addr: ");
>  tmp = strstr(data.fromaddr, "\r\n"); *tmp = '\0';
>
> -KF