From owner-freebsd-hackers@FreeBSD.ORG  Mon Jan 19 11:55:19 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B610016A4CE
	for <freebsd-hackers@freebsd.org>;
	Mon, 19 Jan 2004 11:55:19 -0800 (PST)
Received: from mail.rdstm.ro (mail.rdstm.ro [193.231.233.2])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F251843D54
	for <freebsd-hackers@freebsd.org>;
	Mon, 19 Jan 2004 11:55:17 -0800 (PST)
	(envelope-from aanton@reversedhell.net)
Received: from reversedhell.net (casa_auto [81.196.32.25])
	by mail.rdstm.ro (8.12.10/8.12.1) with ESMTP id i0JJstJU004791;
	Mon, 19 Jan 2004 21:54:55 +0200
Message-ID: <400C3639.1000702@reversedhell.net>
Date: Mon, 19 Jan 2004 21:55:37 +0200
From: Anton Alin-Adrian <aanton@reversedhell.net>
User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US;
	rv:1.6b) Gecko/20031212 Thunderbird/0.4
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Dinesh Nair <dinesh@alphaque.com>, freebsd-hackers@freebsd.org
References: <20040120014314.S312-100000@prophet.alphaque.com>
In-Reply-To: <20040120014314.S312-100000@prophet.alphaque.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: qmail remote root patch
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jan 2004 19:55:19 -0000


Dinesh Nair wrote:

>On Mon, 19 Jan 2004, Anton Alin-Adrian wrote:
>  
>
>>>Regarding latest qmail vulnerability, I coded this quickly patch.
>>>Please double-check me if I am wrong here. Forward this to
>>>freebsd-security please.
>>>320c320
>>><       ++pos;
>>>---
>>>
>>>
>>>      
>>>
>>>>     if (pos>9) ++pos;
>>>>        
>>>>
>>http://www.guninski.com/qmailcrash.html
>>    
>>
>
>woulnd't it be better to switch pos from an int to a u_int ? or do
>specific bounds checking before incrementing pos ? this patch seems to
>_only_ increment pos if it's > 9, and reading the code will show you where
>you're going to get into some problems. :)
>
>Regards,                           /\_/\   "All dogs go to heaven."
>dinesh@alphaque.com                (0 0)    http://www.alphaque.com/
>+==========================----oOO--(_)--OOo----==========================+
>| for a in past present future; do                                        |
>|   for b in clients employers associates relatives neighbours pets; do   |
>|   echo "The opinions here in no way reflect the opinions of my $a $b."  |
>| done; done                                                              |
>+=========================================================================+
>
>
>
>  
>
Please look in the thread, I already posted:

--- qmail-smtpd.c	Mon Jun 15 13:53:16 1998
+++ qmail-smtpd-patched.c	Mon Jan 19 15:22:23 2004
@@ -316,8 +316,8 @@
         if (flagmaybex) if (pos == 7) ++*hops;
         if (pos < 2) if (ch != "\r\n"[pos]) flagmaybey = 0;
         if (flagmaybey) if (pos == 1) flaginheader = 0;
+	++pos;
       }
-      ++pos;
       if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; }
     }
     switch(state) {