Re: [exim] Re: [exim-dev] buffer overflow?

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Mark Morley
CC: exim-users
Subject: Re: [exim] Re: [exim-dev] buffer overflow?
On Sat, 12 Mar 2005, Mark Morley wrote:

> For example (wrapped and truncated):
>
> 2005-03-12 02:14:20 SMTP protocol violation: synchronization error (input
> sent without waiting for greeting): rejected connection from
> H=[218.109.116.199] input="# $FreeBSD: src/etc/group,v 1.19.2.3 2002/06/30
> 17:57:17 des Exp $\n#\nwheel:*:0:root,admin\ndaemon:*:1:daemon\n.....


I believe that I have found the bug that causes this. I could not
reproduce your exact symptom; the case I found caused it to print

...input=""

on these messages, but I think on other hosts or operating systems it
could what it does for you (print uninitialized memory). It's provoked
by a site that connects and immediately disconnects before Exim has a
chance to do anything with it.

The patch for 4.50 is below. I'd be grateful for any reports as to
whether it does fix this.

Philip

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.




*** exim-4.50/src/smtp_in.c Thu Feb 17 14:49:11 2005
--- smtp_in.c    Tue Mar 29 16:53:12 2005
***************
*** 1610,1623 ****
        &tzero) > 0)
      {
      int rc = read(fileno(smtp_in), smtp_inbuffer, in_buffer_size);
!     if (rc > 150) rc = 150;
!     smtp_inbuffer[rc] = 0;
!     log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol violation: "
!       "synchronization error (input sent without waiting for greeting): "
!       "rejected connection from %s input=\"%s\"", host_and_ident(TRUE),
!       string_printing(smtp_inbuffer));
!     smtp_printf("554 SMTP synchronization error\r\n");
!     return FALSE;
      }
    }


--- 1616,1632 ----
        &tzero) > 0)
      {
      int rc = read(fileno(smtp_in), smtp_inbuffer, in_buffer_size);
!     if (rc > 0)
!       {
!       if (rc > 150) rc = 150;
!       smtp_inbuffer[rc] = 0;
!       log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol violation: "
!         "synchronization error (input sent without waiting for greeting): "
!         "rejected connection from %s input=\"%s\"", host_and_ident(TRUE),
!         string_printing(smtp_inbuffer));
!       smtp_printf("554 SMTP synchronization error\r\n");
!       return FALSE;
!       }
      }
    }