[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: buffer overrun in bind db
On Thu, Jan 31, 2002 at 04:55:02PM +0300, Alexey Antipov wrote:
> Zmailer version: 2.99.56-pre1
> OS: FreeBSD 4.5-RELEASE i386, FreeBSD 3.4-RELEASE i386
>
> Router subsystem crashes while processing messages with very long 'To:'
> header with '\n' chars in. This long headers may appear when quotation
> symbol missed (square bracket). Whole part after left square bracket may
> treated as host name (more longer than MAXNAME). This hostname passed to
> search_res for resolving. After error occured this hostname copied into
> staticaly allocated fixed size buffer h_errhost. Router segmentation
> violation.
>
> Maybe such combination of static buffer and strcpy can appear in other
> parts of zmailer source tree.
Not very many of those are left anymore.
... hmm.. better not to hang myself, 'grep strcpy */*.c' shows
quite many instances, which all need to be verified...
> Real-life letter that cause router crash may be found at
> http://www.lipetsk.ru/~rabbit/10866-42168
....
> Sample FreeBSD patch:
The strlcpy() function appears to be FreeBSD specific.
I implemented this a bit differently, which isn't fastest possible,
but it is in exception path anyway. (And DNS lookups are SLOW..)
> =====================================================================
> --- router/libdb/bind.c.orig Fri Jan 25 21:04:52 2002
> +++ router/libdb/bind.c Fri Jan 25 21:07:18 2002
> @@ -351,7 +351,7 @@
> fprintf(stderr,
> "search_res: CNAME chain length exceeded (%s)\n",
> host);
> - strcpy(h_errhost, host);
> + strlcpy(h_errhost, host, sizeof (h_errhost));
> h_errno = TRY_AGAIN;
> return NULL;
> }
....
--
/Matti Aarnio <mea@nic.funet.fi>
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi