user [EMAIL PROTECTED] usertags #392452 close-20070831 thanks On Wed, Oct 11, 2006 at 07:48:12PM +0100, Jochen Voss wrote: > recently I noticed the following bits of code in the source file > src/exim_dbmbuild.c (function 'main'): > > int main(int argc, char **argv) > { > uschar temp_dbmname[256]; > uschar real_dbmname[256]; > ... > Ustrcpy(temp_dbmname, argv[arg+1]); > Ustrcat(temp_dbmname, ".dbmbuild_temp"); > ... > sprintf(CS real_dbmname, "%s.db", temp_dbmname); > > where 'Ustrcpy' and 'Ustrcat' are functionally equivalent to 'strcpy' > and 'strcat'. Since command line arguments are not limited in size > and since the functions Ustrcpy, Ustrcat and sprintf do not include > any length checks on their arguments, this will easily overflow the > buffers 'temp_dbmname' and 'real_dbmname'.
Upstream says this was fixed. > Probably the following crash is a symptom of this: > > [EMAIL PROTECTED] [~] touch xxx > [EMAIL PROTECTED] [~] /usr/sbin/exim_dbmbuild xxx $(python -c 'print > "a"*9999') > Segmentation fault It now says "file name is ridiculously overlong". Does this fix the issue for you? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]