The last patch I sent to the list is incomplete because it did not handle the case where there's too many short DELIVERED or RECEIVED lines, which still has potential to cause memory overwrites.
I hope this time the exploit potential is completely eliminated. Cheers, Xin LI --- qmail-smtpd.c.orig Mon Jan 19 23:20:38 2004 +++ qmail-smtpd.c Mon Jan 19 23:22:36 2004 @@ -305,7 +305,7 @@ *hops = 0; flaginheader = 1; pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; - for (;;) { + for (;;((*hops) < MAXHOPS)) { substdio_get(&ssin,&ch,1); if (flaginheader) { if (pos < 9) { @@ -317,7 +317,17 @@ if (pos < 2) if (ch != "\r\n"[pos]) flagmaybey = 0; if (flagmaybey) if (pos == 1) flaginheader = 0; } - ++pos; + if((++pos) > 1000) { + /* + * RFC 2821 has explicitly defined a text line can contain + * 1000 characters at maximium. This is a workaround to + * stop copying characters there, but I am not sure about + * the side effect. Consider this as an attack and set hops + * to MAXHOPS to prevent future processing. + */ + *hops = MAXHOPS; + break; + } if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; } } switch(state) { _______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"