Hi,
----- Original Message -----
From: "Gabriel Ambuehl" <[EMAIL PROTECTED]>
> > buffer overflow will effectively replace the address for the MAIL FROM
> > command of outgoing smtp session with crap leading in email rejections
from
> > remote smtp servers.
>
> Hmm that's bad...
Well, it's been around forever. I first noticed the bug in FreeBSD
3.4-STABLE. I have sent the patch to the FreeBSD team and code to test if a
particular installation is vulnerable.
The issue is as much with qmail as with the FreeBSD code. Most application
that try to discover the interfaces present on a given system use the same
system call as qmail, but with a large buffer (usually around 8k). This
buffer is big enough in 99.99% of the case. Qmail on the other hand tries to
save a few bytes here and there, so it uses the system call with a very
small buffer (256 bytes) and then increases it by a few bytes until it knows
that it got all the interfaces.
The only advantage of qmail's way is that is save some memory. The main
drawbacks are:
- it is vulnerable to the BSD socket bug (which is not limited to FreeBSD)
- it uses a fairly high number of system calls to do something that should
be done
in one system call.
Qmail can be patched for that problem as well.
(here it is)
--- ipme.c.orig 2000/04/08 18:49:08
+++ ipme.c 2000/04/09 08:14:11
@@ -48,7 +48,7 @@
if ((s = socket(AF_INET,SOCK_STREAM,0)) == -1) return -1;
- len = 256;
+ len = 8092; /* any value big enough to get all the interfaces in one read
is good */
for (;;) {
if (!stralloc_ready(&buf,len)) { close(s); return 0; }
buf.len = 0;
@@ -60,7 +60,7 @@
break;
}
if (len > 200000) { close(s); return -1; }
- len += 100 + (len >> 2);
+ len *= 2;
}
x = buf.s;
while (x < buf.s + buf.len) {
>
> > The file to patch is /usr/src/sys/net/if.c, the attached patch is
against
> > the current RELENG_4 version.
>
> Do you mean 4.0 Current or 4.0 Release (we'll use the later, if WC
> sends us the CDs.. Ordered them since they're scheduled but nothing
> yet arrived)?
This is for any FreeBSD to date. And as for the CD's we got ours last week,
so yours should not be too far away...
Patrick.