Re: [Exim] verify=header_syntax Buffer overflow (CAN-2004-04…

Página Inicial
Delete this message
Reply to this message
Autor: Andreas Metzler
Data:  
Para: Exim-Users (E-mail)
Assunto: Re: [Exim] verify=header_syntax Buffer overflow (CAN-2004-0400)
On 2004-05-06 Nico Erfurth <masta@???> wrote:
> Andreas Metzler wrote:
> >Afaict the broken code in src/verify.c is completely useless in exim4.
> >The header name is copied to hname but the error message is generated
> >from h->text and hname is ignored.


> Damn, you've beaten me by 5 secs ;)


Hello,
I cheated. I was pre-warned by Debian's security team. ;-)

> Yes, the code looks useless. Looks like Philip already wanted to fix it,
> but left the broken code lying around.


> >Shouldn't exim reject
> >
> >To        : bar@foo

> >
> >at east if 'verify = header_syntax' is used?


> I've quickly looked over the rfc, and it's IMHO not very clear about it.


> <quote>
>  Header fields are lines composed of a field name, followed by a colon
>    (":"), followed by a field body, and terminated by CRLF.  A field
>    name MUST be composed of printable US-ASCII characters (i.e.,
>    characters that have values between 33 and 126, inclusive), except
>    colon.
> </quote>


That is quite clear imho. SPACE is 32 and therefore not "between 33
and 126". And later it says:

from            =       "From:" mailbox-list CRLF
sender          =       "Sender:" mailbox CRLF
reply-to        =       "Reply-To:" address-list CRLF
to              =       "To:" address-list CRLF
cc              =       "Cc:" address-list CRLF
bcc             =       "Bcc:" (address-list / [CFWS]) CRLF


            cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"