Potential remote crashes
David Relson
relson at osagesoftware.com
Sat May 10 01:39:45 CEST 2003
At 07:27 PM 5/9/03, Matthias Andree wrote:
>Timo Sirainen <tss at iki.fi> writes:
>
> > Did a small code audit. Looks pretty good in general, but found a few
> > things:
>
>Thanks a bunch!
... [snip] ...
>I have added a band-aid workaround: a check to abort() bogofilter if
>avail < 2. That's ugly, but doesn't trigger with the tests we have, and
>we have a trusted minimal "count" after that. I'd rather have
>self-contained functions than rely on the callers to do things
>right. I'd also rather kill bogofilter than continue with a possibly
>corrupted heap. We can still fix the abort() later when someone has a
>message to trigger the abort(). Let's not take a chance here, there's
>enough unsafe software in the world.
...[snip]...
>I have cleaned up and fixed that function as well. I haven't researched
>if this is exploitable, but I wouldn't rule out a vulnerability
>off-hand. Looks as though it's time for another release and another
>security announcement, just in case.
>
>Timo, could you update from CVS and have another look at qp_decode() and
>yy_use_redo_text()?
>
>David, what do you think?
Matthias,
I don't _think_ either of these items needs fixing, though I am not certain.
yy_use_redo_text() is strictly internal to bogofilter and is used under
controlled circumstances. I don't think there's a problem with the used
and avail fields. I've been busy with other tasks and haven't had an
opportunity to look closely enough at the code to determine if there's a
problem.
Similarly I haven't taken a close look at qp_decode(). Decoding
quoted-printable text has the property that the output text is shorter than
the input. This lessens the opportunity for a buffer-overrun. Again, I'd
need to look closely at the code to determine if there's a
problem. Offhand, I don't think there is.
David
More information about the bogofilter-dev
mailing list