Re: potential security hole(s) in 1.71

Página Principal
Apagar esta mensagem
Responder a esta mensagem
Autor: Philip Hazel
Data:  
Para: T. William Wells
CC: exim-users
Assunto: Re: potential security hole(s) in 1.71
On Thu, 18 Sep 1997, T. William Wells wrote:

> > >      2) exim copies, using strcpy, the results of gethostbyaddr,
> > >     in at least one place. An immediate attack method is to
> > >     create a long HELO line and a tailored DNS record to
> > >     create overruns.

> >
> > I can't find this code. There is only one call to gethostbyaddr() in
> > exim (well, some different versions for IPv4 and IPv6), and afterwards,
> > the code (version 1.71) reads
>
> Right. But the function that contains it is called in a few
> places. The one that bothered me was in the HELO processing, where
> you substituted the address found (ultimately) by gethostbyname
> for the one on the HELO line.


You are right. I should and will fix that. However, fortuitously, it is
safe because there are over 500 bytes available, and names returned by
the DNS are limited to 255. RFC 1034 says:

To simplify implementations, the total number of octets that represent a
domain name (i.e., the sum of all label octets and label lengths) is
limited to 255.

Of course, Exim should not rely on that. Mea culpa.

-- 
Philip Hazel                   University Computing Service,
ph10@???             New Museums Site, Cambridge CB2 3QG,
P.Hazel@???          England.  Phone: +44 1223 334714



--
* This is sent by the exim-users mailing list.  To unsubscribe send a
    mail with subject "unsubscribe" to exim-users-request@???
* Exim information can be found at http://www.exim.org/