[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Router SIGSEGV

On Mon, Jul 05, 2004 at 11:57:50AM -0300, zmailer wrote:
> Hi,
> We have found a problem with the router.
> You can do a DOS attack by sending a simple 
> mail.
> Creating a To: field in the header like:
> To: "\(AnyText"
> the router dies with a SIGSEV whitout removing
> the message, so it keeps processing it whit the same
> result....

Let me guess, you are running this in a Linux system with newish glibc ?
(it blows up to my face as well...)

It stems from  libsh/execute.c:1072  PRESUMING, that "FILE f" is
stack allocated instance of FILE object..  which in glibc  does not
happen :-(  Why does it break only in this ONE instance, I am not so

Aargh...  Now I know ...  Millions of letters, and never used that
one buggy (and obsolete and now removed) code-path.

I fixed the beast to survive crossbar rewrite in this form.

> Any text, between double quotes starting with a
> backslash parenthesis, but without a mail address
> between less and greater than.

The backslash isn't necessary there to cause the original trouble..

> I'm testing this on a zmailer-2.99.56 version, 
> but 2.99.56-patch1pre2 has the same problem.
> We have been looking but didn't find the problem yet.
> So, if somebody can help....
> TIA.
> Example
> =======
> EHLO x
> MAIL FROM:<test@test.com>
> RCPT TO:<some@one.com>
> From: test@test.com
> To: "\(Troubles"
> Subject: DDOS
> asdfg
> .

/Matti Aarnio	<mea@nic.funet.fi>
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi