Date: Mon, 19 Jan 2004 21:55:37 +0200 From: Anton Alin-Adrian <aanton@reversedhell.net> To: Dinesh Nair <dinesh@alphaque.com>, freebsd-hackers@freebsd.org Subject: Re: qmail remote root patch Message-ID: <400C3639.1000702@reversedhell.net> In-Reply-To: <20040120014314.S312-100000@prophet.alphaque.com> References: <20040120014314.S312-100000@prophet.alphaque.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dinesh Nair wrote: >On Mon, 19 Jan 2004, Anton Alin-Adrian wrote: > > >>>Regarding latest qmail vulnerability, I coded this quickly patch. >>>Please double-check me if I am wrong here. Forward this to >>>freebsd-security please. >>>320c320 >>>< ++pos; >>>--- >>> >>> >>> >>> >>>> if (pos>9) ++pos; >>>> >>>> >>http://www.guninski.com/qmailcrash.html >> >> > >woulnd't it be better to switch pos from an int to a u_int ? or do >specific bounds checking before incrementing pos ? this patch seems to >_only_ increment pos if it's > 9, and reading the code will show you where >you're going to get into some problems. :) > >Regards, /\_/\ "All dogs go to heaven." >dinesh@alphaque.com (0 0) http://www.alphaque.com/ >+==========================----oOO--(_)--OOo----==========================+ >| for a in past present future; do | >| for b in clients employers associates relatives neighbours pets; do | >| echo "The opinions here in no way reflect the opinions of my $a $b." | >| done; done | >+=========================================================================+ > > > > > Please look in the thread, I already posted: --- qmail-smtpd.c Mon Jun 15 13:53:16 1998 +++ qmail-smtpd-patched.c Mon Jan 19 15:22:23 2004 @@ -316,8 +316,8 @@ if (flagmaybex) if (pos == 7) ++*hops; if (pos < 2) if (ch != "\r\n"[pos]) flagmaybey = 0; if (flagmaybey) if (pos == 1) flaginheader = 0; + ++pos; } - ++pos; if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; } } switch(state) {
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?400C3639.1000702>