[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Bug in smtpserver

To: zmailer@nic.funet.fi
Subject: Bug in smtpserver
From: Scott Ballantyne <sdb@ssr.com>
Date: Mon, 6 Nov 1995 01:56:47 -0500
Sender: Scott Ballantyne <sdb@ssr.com>

Thanks to matti, everything seems to be working fine here now. There
is a small buglette in the smtpserver. If you disable VRFY and EXPN
via the smtpserver.conf file, they will still work if the server
doesn't receive a HELO

---------
220 redhotmomma.ssr.com Server ESMTP 2.99.20 #1 ready at Mon, 6 Nov 1995 01:49:47 -0500
expn sdb@ssr.com
250 Scott Ballantyne <sdb>
vrfy sdb@ssr.com
250 Scott Ballantyne <sdb>
helo localhost.ssr.com
250  redhotmomma.ssr.com Hello localhost.ssr.com
expn sdb@ssr.com
502 Command not implemented
vrfy sdb@ssr.com
252 Cannot VRFY user, but will accept message and attempt delivery
quit
---------

This is because the cfinfo variable is really only initialized
reliably from the smtp_helo routine. It seems to me the correct fix is
the following, which just checks the state to see if we are still
waiting for HELO. This is still not perfect, since local users can
still exploit the bug, but we don't care about that here.

----------------------------------------------------------------

	    case Verify:
	    case Verify2:
		if (state == Hello)
		  {
		    type (503, "Waiting for HELO/EHLO command");
		    break;
		  }
		if ((cfi = STYLE(cfinfo, 'v'))) {
		  while (*cp == ' ' || *cp == '\t') ++cp;
		  if (*cp == '<')
		    s = rfc821_path(cp,cfi); /* with < > */
		  else
		    s = rfc821_path2(cp,cfi); /* Without < > */
		  if (s == cp) {
		    type821err(501,buf,"Path data: %s",rfc821_error);
		    break;
		  }
		  while (*s == ' ' || *s == '\t') ++s;
		  if (*s != 0) {
		    type(501, "Growl! Extra junk after the VRFY argument!");
		    break;
		  }
		  if ((s = router(RKEY_VERIFY, 0, cp)) != NULL) {
		    printf("%s\r\n", s);
		    free(s);
		  }
		} else
		  type(252, (char *)NULL);
		break;
	    case Expand:
		if (state == Hello)
		  {
		    type (503, "Waiting for HELO/EHLO command");
		    break;
		  }
		if ((cfi = STYLE(cfinfo, 'e'))) {
		  while (*cp == ' ' || *cp == '\t') ++cp;
		  if (*cp == '<')
		    s = rfc821_path(cp,cfi); /* with < > */
		  else
		    s = rfc821_path2(cp,cfi); /* Without < > */
		  if (s == cp) {
		    type821err(501,buf,"Path data: %s",rfc821_error);
		    break;
		  }
		  while (*s == ' ' || *s == '\t') ++s;
		  if (*s != 0) {
		    type(501, "Growl! Extra junk after the EXPN argument!");
		    break;
		  }
		  if ((s = router(RKEY_EXPAND, 0, cp)) != NULL) {
		    printf("%s\r\n", s);
		    free(s);
		  }
		} else
		  type(502, (char *)NULL);
		break;

Follow-Ups:
- Re: Bug in smtpserver
  - From: Matti Aarnio <mea@nic.funet.fi> (Mon, 6 Nov 1995 11:55:53 +0200)

Prev by Date: Re: Data 250 error when sending from some winsock applications.
Next by Date: Re: Bug in smtpserver
Prev by thread: Re: Data 250 error when sending from some winsock applications.
Next by thread: Re: Bug in smtpserver
Index(es):
- Date
- Thread