On Thu, 18 Sep 1997, T. William Wells wrote:
> > > 2) exim copies, using strcpy, the results of gethostbyaddr,
> > > in at least one place. An immediate attack method is to
> > > create a long HELO line and a tailored DNS record to
> > > create overruns.
> >
> > I can't find this code. There is only one call to gethostbyaddr() in
> > exim (well, some different versions for IPv4 and IPv6), and afterwards,
> > the code (version 1.71) reads
>
> Right. But the function that contains it is called in a few
> places. The one that bothered me was in the HELO processing, where
> you substituted the address found (ultimately) by gethostbyname
> for the one on the HELO line.
You are right. I should and will fix that. However, fortuitously, it is
safe because there are over 500 bytes available, and names returned by
the DNS are limited to 255. RFC 1034 says:
To simplify implementations, the total number of octets that represent a
domain name (i.e., the sum of all label octets and label lengths) is
limited to 255.
Of course, Exim should not rely on that. Mea culpa.
--
Philip Hazel University Computing Service,
ph10@??? New Museums Site, Cambridge CB2 3QG,
P.Hazel@??? England. Phone: +44 1223 334714
--
* This is sent by the exim-users mailing list. To unsubscribe send a
mail with subject "unsubscribe" to exim-users-request@???
* Exim information can be found at http://www.exim.org/