[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: buffer overrun in bind db
On Thu, Jan 31, 2002 at 04:55:02PM +0300, Alexey Antipov wrote:
> Zmailer version: 2.99.56-pre1
> OS: FreeBSD 4.5-RELEASE i386, FreeBSD 3.4-RELEASE i386
> Router subsystem crashes while processing messages with very long 'To:'
> header with '\n' chars in. This long headers may appear when quotation
> symbol missed (square bracket). Whole part after left square bracket may
> treated as host name (more longer than MAXNAME). This hostname passed to
> search_res for resolving. After error occured this hostname copied into
> staticaly allocated fixed size buffer h_errhost. Router segmentation
> Maybe such combination of static buffer and strcpy can appear in other
> parts of zmailer source tree.
Not very many of those are left anymore.
... hmm.. better not to hang myself, 'grep strcpy */*.c' shows
quite many instances, which all need to be verified...
> Real-life letter that cause router crash may be found at
> Sample FreeBSD patch:
The strlcpy() function appears to be FreeBSD specific.
I implemented this a bit differently, which isn't fastest possible,
but it is in exception path anyway. (And DNS lookups are SLOW..)
> --- router/libdb/bind.c.orig Fri Jan 25 21:04:52 2002
> +++ router/libdb/bind.c Fri Jan 25 21:07:18 2002
> @@ -351,7 +351,7 @@
> "search_res: CNAME chain length exceeded (%s)\n",
> - strcpy(h_errhost, host);
> + strlcpy(h_errhost, host, sizeof (h_errhost));
> h_errno = TRY_AGAIN;
> return NULL;
/Matti Aarnio <firstname.lastname@example.org>
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to email@example.com