Re: Hoo boy...

Top Page
Delete this message
Reply to this message
Author: Jawaid Bazyar
Date:  
To: Pete Ashdown, Exim Mailing List
Subject: Re: Hoo boy...
At 04:09 PM 7/21/97 -0600, Pete Ashdown wrote:

>>From: djb@??? (D. J. Bernstein)


>>Source code pointers: exim checks for :include: in .forward files at
>>line 1031 of exim/parse.c. At line 1034 it defines a buffer of 256
>>characters. It copies the :include: filename into the buffer. If the
>>first character of the filename is not a slash, it returns immediately.
>>
>>Exploit: Run exim -bt you@???, with appropriate code in the
>>environment, with an appropriate :include: filename in ~/.forward.


Patch:

+    /* if len-9 > 256 then truncate the string! */
+    if (len > 255+9) len = 255+9;
     strncpy(filename, s+9, len-9);


I don't have BSD so I can't test this, but this will definitely prevent the
buffer overflow.

A more intelligent patch might alloc/malloc space of the appropriate size,
but this is a faster fix.

--
 Jawaid Bazyar              |   Affordable WWW & Internet Solutions
 Interlink Advertising Svcs |   for Small Business
 bazyar@???       |   P.O Box 641               (303) 781-3273
 --The Future is Now!--     |   Englewood, CO 80151-0641  (303) 789-4197 fax