Author: Andreas Metzler Date: To: Exim-Users (E-mail) Subject: Re: [Exim] verify=header_syntax Buffer overflow (CAN-2004-0400)
On 2004-05-06 Nico Erfurth <masta@???> wrote: > Andreas Metzler wrote:
> >Afaict the broken code in src/verify.c is completely useless in exim4.
> >The header name is copied to hname but the error message is generated
> >from h->text and hname is ignored. > Damn, you've beaten me by 5 secs ;)
Hello,
I cheated. I was pre-warned by Debian's security team. ;-)
> Yes, the code looks useless. Looks like Philip already wanted to fix it,
> but left the broken code lying around. > >Shouldn't exim reject
> >
> >To : bar@foo
> >
> >at east if 'verify = header_syntax' is used? > I've quickly looked over the rfc, and it's IMHO not very clear about it. > <quote>
> Header fields are lines composed of a field name, followed by a colon
> (":"), followed by a field body, and terminated by CRLF. A field
> name MUST be composed of printable US-ASCII characters (i.e.,
> characters that have values between 33 and 126, inclusive), except
> colon.
> </quote>
That is quite clear imho. SPACE is 32 and therefore not "between 33
and 126". And later it says:
