Re: [exim-dev] buffer overflow?

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: Geraint Edwards
CC: exim-dev
Subject: Re: [exim-dev] buffer overflow?
On Wed, 6 Apr 2005, Geraint Edwards wrote:

> I'm also getting this - exactly the same thing about once a day
> (not a hugely busy server - 100s of e-mails a day). Also on
> FreeBSD (4.11 in my case, RELENG_4_11 from April 1st). Exim 4.50
> is the port from same date.


Did you apply the patch I posted recently?

> ######################################################################
> *** smtp_in.c.orig   Thu Feb 17 14:49:11 2005
> --- smtp_in.c        Tue Apr  5 20:17:00 2005
> ***************
> *** 1610,1615 ****
> --- 1610,1622 ----
>         &tzero) > 0)
>       {
>       int rc = read(fileno(smtp_in), smtp_inbuffer, in_buffer_size);
> +     if (rc < 0)
> +       {
> +       log_write(0, LOG_MAIN|LOG_REJECT,
> +                 "read() error %d during connection from %s",
> +                 rc, host_and_ident(TRUE));
> +       rc = 0;
> +       }
>       if (rc > 150) rc = 150;
>       smtp_inbuffer[rc] = 0;
>       log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol violation: "
> ######################################################################


Looks pretty much like my patch. :) See below.

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.
Get the Exim 4 book:    http://www.uit.co.uk/exim-book




*** exim-4.50/src/smtp_in.c Thu Feb 17 14:49:11 2005
--- smtp_in.c    Tue Mar 29 16:53:12 2005
***************
*** 1610,1623 ****
        &tzero) > 0)
      {
      int rc = read(fileno(smtp_in), smtp_inbuffer, in_buffer_size);
!     if (rc > 150) rc = 150;
!     smtp_inbuffer[rc] = 0;
!     log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol violation: "
!       "synchronization error (input sent without waiting for greeting): "
!       "rejected connection from %s input=\"%s\"", host_and_ident(TRUE),
!       string_printing(smtp_inbuffer));
!     smtp_printf("554 SMTP synchronization error\r\n");
!     return FALSE;
      }
    }


--- 1616,1632 ----
        &tzero) > 0)
      {
      int rc = read(fileno(smtp_in), smtp_inbuffer, in_buffer_size);
!     if (rc > 0)
!       {
!       if (rc > 150) rc = 150;
!       smtp_inbuffer[rc] = 0;
!       log_write(0, LOG_MAIN|LOG_REJECT, "SMTP protocol violation: "
!         "synchronization error (input sent without waiting for greeting): "
!         "rejected connection from %s input=\"%s\"", host_and_ident(TRUE),
!         string_printing(smtp_inbuffer));
!       smtp_printf("554 SMTP synchronization error\r\n");
!       return FALSE;
!       }
      }
    }