full-disclosure MLでqmail-smtpdに2GB以上のSMTPヘッダーを受信するとoverflowしてしまうバグが報告されている。現実的には2GB以上のSMTPヘッダーなんて起り得ないのだが、攻撃者の標的となる可能性は否定できないので修正するなり。
368 pos = 0; flagmaybex = flagmaybey = flagmaybez = 1;
369 for (;;) {
370 substdio_get(&ssin,&ch,1);
371 if (flaginheader) {
372 if (pos < 9) {
373 if (ch != "delivered"[pos]) if (ch != "DELIVERED"[pos]) flagmaybez = 0;
374 if (flagmaybez) if (pos == 8) ++*hops;
375 if (pos < 8)
376 if (ch != "received"[pos]) if (ch != "RECEIVED"[pos]) flagmaybex = 0;
377 if (flagmaybex) if (pos == 7) ++*hops;
378 if (pos < 2) if (ch != "\r\n"[pos]) flagmaybey = 0;
379 if (flagmaybey) if (pos == 1) flaginheader = 0;
380 ++pos; /* insert by YANO at 2004/01/20 */
381 }
382 /* ++pos; * commentout by YANO at 2004/01/20 */
383 if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; }
384 }
385 switch(state) {
qmail-smtpd.c: 502 lines, 13278 characters
$ sudo make setup check
【参照】
●full-disclosure ML アーカイブ http://www.st.ryukoku.ac.jp/~kjm/security/ml-archive/full-disclosure/
┗[Full-Disclosure] Lame crash in qmail-smtpd and memory overwrite according to gdb, yet still qmail much better than windows 2004年1月15日