File qmail-1.03.qmtpd-netstring.patch of Package netqmail

Overview Repositories Revisions Requests Users Attributes Meta

File qmail-1.03.qmtpd-netstring.patch of Package netqmail

# qmail-1.03.qmtpd-netstring.patch
#
# This patch corrects a programming error in
# the getlen() and main() routines of qmail-qmtpd.c.
#
# These routines read input length in netstring format.
# But the original code does not test for numeric validity
# in the length field of the netstring.
#
# As a consquence, it is possible for an attacker to design
# input to create a buffer overflow.
#
# This patch modifies the original to perform validity
# checking when reading the length field of the netstring.
#
# George Guninski documents this bug at:
#
#   http://www.guninski.com/qmail-qmtpd.html
#
# For additional information about qmail and patches,
# see:
#
#   http://www.thedjbway.org/qmail/patches.html
#
# PUBLIC DOMAIN.
# NO WARRANTY.
# USE AT YOUR OWN RISK.  Etc, etc., etc.
#
# wcm, 2004.10.04 - 2004.10.04
# ===
diff -u qmail-1.03.orig/qmail-qmtpd.c qmail-1.03/qmail-qmtpd.c
--- qmail-1.03.orig/qmail-qmtpd.c	Mon Jun 15 03:52:55 1998
+++ qmail-1.03/qmail-qmtpd.c	Mon Oct  4 11:46:03 2004
@@ -45,6 +45,8 @@
   for (;;) {
     substdio_get(&ssin,&ch,1);
     if (ch == ':') return len;
+    /* trap non-numeric input in netstring: */
+    if ((ch < '0') || (ch > '9')) badproto();
     if (len > 200000000) resources();
     len = 10 * len + (ch - '0');
   }
@@ -193,6 +195,8 @@
         substdio_get(&ssin,&ch,1);
         --biglen;
         if (ch == ':') break;
+        /* trap non-numeric input in netstring: */
+        if ((ch < '0') || (ch > '9')) badproto();
         if (len > 200000000) resources();
         len = 10 * len + (ch - '0');
       }

Places

File qmail-1.03.qmtpd-netstring.patch of Package netqmail

Places