[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Nmh-workers] 1.1RC4: buffer overrun in scan

From: pmaydell
Subject: [Nmh-workers] 1.1RC4: buffer overrun in scan
Date: Sun, 06 Nov 2005 01:52:01 +0000


mnementh$ gdb ./scan
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...Using host libthread_db library 

(gdb) run -width 16536 -file /tmp/bad.txt
Starting program: /home/pm215/junk/nmh-from-cvs/uip/scan -width 16536 -file 

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

The file in question is available at


It's got a 16K long From field, all on one line. This would probably
be tricky to get through MTAs without something folding it, however:


is a folded From header and also crashes. (The presence of the RFC2047
encoded bit seems to be necessary in the folded case: perhaps there are
two overruns...)

This seems to have been in nmh for some time: a 1.0.4 I had also exhibits
the bug. This would be a remote exploit if you were in the habit of
running scan with ludicrously high width parameters. (Not quite so
implausible as you might think, since an easy way to get untruncated
headers in a script is to run scan with a large -width and look at the
result, but 16K is pretty silly even for that.)

I think this ought to be fixed for 1.2, but I don't know if I'll have
time to investigate before next week. Preliminary investigation suggests
that at least one of the problems is decode_rfc2047(), whose API is
totally broken since it has to be passed a preallocated buffer but
doesn't let the caller specify the length of the buffer...

On the bright side, I've now checked in fixes for all the other things
I thought needed to be fixed for 1.2...

-- PMM

reply via email to

[Prev in Thread] Current Thread [Next in Thread]