Potential remote crashes
Matthias Andree
matthias.andree at gmx.de
Sat May 10 03:06:24 CEST 2003
- Previous message (by thread): Potential remote crashes
- Next message (by thread): [cvs] bogofilter/src memdebug.h,NONE,1.1 memdebug.c,NONE,1.1 Makefile.am,1.10,1.11 main.c,1.42,1.43 xcalloc.c,1.1,1.2 xmalloc.c,1.1,1.2 xrealloc.c,1.2,1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
David Relson <relson at osagesoftware.com> writes:
> Matthias,
>
> I don't _think_ either of these items needs fixing, though I am not
> certain.
> yy_use_redo_text() is strictly internal to bogofilter and is used under
> controlled circumstances. I don't think there's a problem with the used
> and avail fields. I've been busy with other tasks and haven't had an
> opportunity to look closely enough at the code to determine if there's a
> problem.
Well, the avail fields and environment forth or back, we mustn't let an
integer underrun slip. There have been exploitable vulnerabilities in
fetchmail and sendmail to name prominent examples.
> Similarly I haven't taken a close look at qp_decode(). Decoding
> quoted-printable text has the property that the output text is shorter
> than the input. This lessens the opportunity for a buffer-overrun.
> Again, I'd need to look closely at the code to determine if there's a
> problem. Offhand, I don't think there is.
qp_decode() wasn't exact about the buffer length. We checked if 1 byte
was left (s < e), but when the last character was a "=", qp_decode would
read up to two more bytes. Possible scenarios (sorta hardware dependent):
0. SIGSEGV for reading past the buffer's end.
1. when the next two bytes are hex digits: change the = to some other
character (decoding error, evil)
2. else: figure it wasn't a =FC encoded character (because it was for
example =\0=, 3D 00 3D) and write the = back, the next two characters
back (SIGSEGV possible, try efence) and stuff another NUL byte after
these, possibly as 3rd byte _past_ the buffer. -> Boom, heap
corrupted. Consequence undetermined and possibly nondeterministic. We
don't want that.
These unfortunate C strings...
I think this would be rather hard to exploit, but it deserves mention
nonetheless because it can be used to mount an avoidable
denial-of-service attack: if the decoder crashes, the mail is to return
to the queue, where it will remain for a week or so. Now go fill the
disk with b0rked mail to postmaster and watch the victim suffer.
That's why I said we need an audit before 1.0...
--
Matthias Andree
- Previous message (by thread): Potential remote crashes
- Next message (by thread): [cvs] bogofilter/src memdebug.h,NONE,1.1 memdebug.c,NONE,1.1 Makefile.am,1.10,1.11 main.c,1.42,1.43 xcalloc.c,1.1,1.2 xmalloc.c,1.1,1.2 xrealloc.c,1.2,1.3
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the bogofilter-dev
mailing list