On Tue, 24 Jul 2001, Philip Hazel wrote:
> On Tue, 24 Jul 2001, Phil Pennock wrote:
>
> > Philip: there would appear to be a local user DoS against the
> > mail-system if the user creates .forward as a sparse file. In fact, I
> > just caused Exim to segfault.
>
> Oh what devious minds some people have! I'll investigate and fix. (I
> suspect it isn't the sparseness, per se, but the lots of leading zeros
> that are seen when the file is read. Or possible the huge apparent size
> of the file...)
Running your test on Solaris 8 gives different errors, but no crashes.
First I got "value too large for defined data type", then when I reduced
the size a bit I got "malloc failed". Clearly it is the apparent huge
size of the .forward file that is a problem. (Remember, a program cannot
tell whether the file it is reading is sparse or not - that's the whole
point of sparseness.) So what I will do is to implement a new option for
forwardfile, called max_file_size, and default it to 1Mb.
But not now. I'm just off to run the Exim course.
Actually, I'm not sure if this is worth retrofitting to Exim 3, but I'll
do something for Exim 4.
--
Philip Hazel University of Cambridge Computing Service,
ph10@??? Cambridge, England. Phone: +44 1223 334714.