From owner-freebsd-hackers@FreeBSD.ORG Mon Jan 19 07:31:25 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AD2B16A4CE for ; Mon, 19 Jan 2004 07:31:25 -0800 (PST) Received: from ftp.bjpu.edu.cn (ftp.bjpu.edu.cn [202.112.78.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id EA63B43D4C for ; Mon, 19 Jan 2004 07:31:23 -0800 (PST) (envelope-from delphij@frontfree.net) Received: by ftp.bjpu.edu.cn (Postfix, from userid 426) id BD2FC52D4; Mon, 19 Jan 2004 23:31:22 +0800 (CST) Received: from beastie.frontfree.net (beastie.frontfree.net [218.107.145.7]) by ftp.bjpu.edu.cn (Postfix) with ESMTP id 9E3465299 for ; Mon, 19 Jan 2004 23:31:22 +0800 (CST) Received: by beastie.frontfree.net (Postfix, from userid 426) id 3AAAC1153A; Mon, 19 Jan 2004 23:31:21 +0800 (CST) Received: from phantasm205 (unknown [61.49.184.36]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by beastie.frontfree.net (Postfix) with ESMTP id 6BD9D11426; Mon, 19 Jan 2004 23:31:19 +0800 (CST) Message-ID: <023e01c3dea1$4d6d8570$0401a8c0@phantasm205> From: "Xin LI" To: "Xin LI" , "Anton Alin-Adrian" , References: <400BD0CE.6050609@reversedhell.net> <010e01c3de91$e6daa9a0$0401a8c0@phantasm205> Date: Mon, 19 Jan 2004 23:31:23 +0800 Organization: Phantasm Studio MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.3790.0 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0 Subject: [REVISED] Re: qmail remote root patch X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2004 15:31:25 -0000 The last patch I sent to the list is incomplete because it did not handle the case where there's too many short DELIVERED or RECEIVED lines, which still has potential to cause memory overwrites. I hope this time the exploit potential is completely eliminated. Cheers, Xin LI --- qmail-smtpd.c.orig Mon Jan 19 23:20:38 2004 +++ qmail-smtpd.c Mon Jan 19 23:22:36 2004 @@ -305,7 +305,7 @@ *hops = 0; flaginheader = 1; pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; - for (;;) { + for (;;((*hops) < MAXHOPS)) { substdio_get(&ssin,&ch,1); if (flaginheader) { if (pos < 9) { @@ -317,7 +317,17 @@ if (pos < 2) if (ch != "\r\n"[pos]) flagmaybey = 0; if (flagmaybey) if (pos == 1) flaginheader = 0; } - ++pos; + if((++pos) > 1000) { + /* + * RFC 2821 has explicitly defined a text line can contain + * 1000 characters at maximium. This is a workaround to + * stop copying characters there, but I am not sure about + * the side effect. Consider this as an attack and set hops + * to MAXHOPS to prevent future processing. + */ + *hops = MAXHOPS; + break; + } if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; } } switch(state) {