[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Nmh-workers] nmh 1.2 failed in doing smtp authentication

From: Peter Maydell
Subject: Re: [Nmh-workers] nmh 1.2 failed in doing smtp authentication
Date: Tue, 29 Apr 2008 22:21:12 +0100

Peter Maydell wrote:
> (Also I'd like to audit that code to check
>that the string really is always NUL-terminated.)

I'm glad I did that, because smhear() appears to have had in it for a decade
completely broken accounting of the space left in the reply buffer in the
case where there's a continuation line from the SMTP server.

I think this is at least potentially a security hole in that if you connect
to a malicious SMTP server it could send you lines which result in an overrun
of the (global) buffer and (maybe) execution of arbitrary code.
I don't know how much of a song-and-dance we want to make about that.

(lines 1659-1662 in rev 1.22:
That chunk of code seems (a) to have mistaken rc for a count of bytes used
in the buffer rather than bytes of space free, and also fails to update rp.
Rev 1.23 includes my fix for it and some other less serious issues.)

-- PMM

reply via email to

[Prev in Thread] Current Thread [Next in Thread]