[Raw Msg Headers][Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Router SIGSEGV
On Mon, Jul 05, 2004 at 11:57:50AM -0300, zmailer wrote:
> Hi,
>
> We have found a problem with the router.
> You can do a DOS attack by sending a simple
> mail.
>
> Creating a To: field in the header like:
> To: "\(AnyText"
>
> the router dies with a SIGSEV whitout removing
> the message, so it keeps processing it whit the same
> result....
Let me guess, you are running this in a Linux system with newish glibc ?
(it blows up to my face as well...)
It stems from libsh/execute.c:1072 PRESUMING, that "FILE f" is
stack allocated instance of FILE object.. which in glibc does not
happen :-( Why does it break only in this ONE instance, I am not so
sure..
Aargh... Now I know ... Millions of letters, and never used that
one buggy (and obsolete and now removed) code-path.
I fixed the beast to survive crossbar rewrite in this form.
> Any text, between double quotes starting with a
> backslash parenthesis, but without a mail address
> between less and greater than.
The backslash isn't necessary there to cause the original trouble..
> I'm testing this on a zmailer-2.99.56 version,
> but 2.99.56-patch1pre2 has the same problem.
>
> We have been looking but didn't find the problem yet.
> So, if somebody can help....
>
> TIA.
>
> Example
> =======
> EHLO x
> MAIL FROM:<test@test.com>
> RCPT TO:<some@one.com>
> DATA
> From: test@test.com
> To: "\(Troubles"
> Subject: DDOS
>
> asdfg
>
> .
--
/Matti Aarnio <mea@nic.funet.fi>
-
To unsubscribe from this list: send the line "unsubscribe zmailer" in
the body of a message to majordomo@nic.funet.fi
- Follow-Ups:
- Re: Router SIGSEGV
- From: "Mariano Absatz" <zmailer@lists.com.ar> (Thu, 8 Jul 2004 18:46:28 +0300)