[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: buffer overrun in bind db

On Thu, Jan 31, 2002 at 04:55:02PM +0300, Alexey Antipov wrote:
> Zmailer version: 2.99.56-pre1
> OS: FreeBSD 4.5-RELEASE i386, FreeBSD 3.4-RELEASE i386
> Router subsystem crashes while processing messages with very long 'To:'
> header with '\n' chars in.  This long headers may appear when quotation
> symbol missed (square bracket). Whole part after left square bracket may
> treated as host name (more longer than MAXNAME). This hostname passed to
> search_res for resolving. After error occured this hostname copied into
> staticaly allocated fixed size buffer h_errhost. Router segmentation
> violation.
> Maybe such combination of static buffer and strcpy can appear in other
> parts of zmailer source tree.

   Not very many of those are left anymore.

   ...   hmm..   better not to hang myself,  'grep strcpy */*.c' shows
   quite many instances, which all need to be verified...

> Real-life letter that cause router crash may be found at 
> http://www.lipetsk.ru/~rabbit/10866-42168

> Sample FreeBSD patch:

   The   strlcpy()  function appears to be FreeBSD specific.
   I implemented this a bit differently, which isn't fastest possible,
   but it is in exception path anyway.  (And DNS lookups are SLOW..)

> =====================================================================
> --- router/libdb/bind.c.orig	Fri Jan 25 21:04:52 2002
> +++ router/libdb/bind.c	Fri Jan 25 21:07:18 2002
> @@ -351,7 +351,7 @@
>  	  fprintf(stderr,
>  		  "search_res: CNAME chain length exceeded (%s)\n",
>  		  host);
> -	  strcpy(h_errhost, host);
> +	  strlcpy(h_errhost, host, sizeof (h_errhost));
>  	  h_errno = TRY_AGAIN;
>  	  return NULL;
>  	}

/Matti Aarnio	<mea@nic.funet.fi>
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi