Article delegate-en/574 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]

Newsgroups: mail-lists.delegate-en

[DeleGate-En] Buffer overflow in pop.c
02 Sep 1999 12:19:54 GMT Fritz Thomas <phybabdyi-yavwm634fvxr.ml@ml.delegate.org>


Hi there!

We did a security-scan on a box running delegated as an pop-proxy, and we
detected a buffer overflow, 
when the input-string exceeded 256 Bytes.
The attached "quick'n'dirty" patch is our workaround for the moment.
If a more experienced programmer fixes this problem in a better way, please
let us know.

Greetinx

Thomas

 <<delegate-patch.txt>> 

--- /usr/src/delegate5.9.3.org/src/pop.c	Tue Aug 31 19:09:22 1999
+++ /usr/src/delegate5.9.3/src/pop.c	Thu Sep  2 10:06:20 1999
@@ -479,37 +479,43 @@
 	fflush(tc);
 
 	while( fgetsTIMEOUT(req,sizeof(req),fc) != NULL ) GOT: {
-		vp = wordscan(req,com);
-		if( strcaseeq(com,"USER") || strcaseeq(com,"APOP") ){
-			sv1log("POP C-S: %s",req);
-			req[0] = 0;
-			if( strcaseeq(com,"USER") ){
-				wordscan(vp,user);
-				pass[0] = 0;
+		if ( strlen(req) < 255 ) {
+			vp = wordscan(req,com);
+			if( strcaseeq(com,"USER") || strcaseeq(com,"APOP") ){
+				sv1log("POP C-S: %s",req);
+				req[0] = 0;
+				if( strcaseeq(com,"USER") ){
+					wordscan(vp,user);
+					pass[0] = 0;
+				}else{
+					vp = wordscan(vp,user);
+					wordscan(vp,pass);
+				}
+				resp[0] = 0;
+				if( change_server(Conn,fc,tc,user,pass,seed,req,resp) ){
+					if( req[0] )
+						goto GOT;
+					else	break;
+				}
+				if( resp[0] )
+					fputs(resp,tc);
+				else
+				fprintf(tc,"-ERR %s username@hostname is expected.\r\n",
+					com);
+			}else
+			if( strcaseeq(com,"QUIT") ){
+				fprintf(tc,"+OK bye.\r\n");
+				fflush(tc);
+				break;
 			}else{
-				vp = wordscan(vp,user);
-				wordscan(vp,pass);
+				fprintf(tc,"-ERR Unknown command: \"%s\"\r\n",com);
 			}
-			resp[0] = 0;
-			if( change_server(Conn,fc,tc,user,pass,seed,req,resp) ){
-				if( req[0] )
-					goto GOT;
-				else	break;
-			}
-			if( resp[0] )
-				fputs(resp,tc);
-			else
-			fprintf(tc,"-ERR %s username@hostname is expected.\r\n",
-				com);
-		}else
-		if( strcaseeq(com,"QUIT") ){
-			fprintf(tc,"+OK bye.\r\n");
 			fflush(tc);
-			break;
-		}else{
-			fprintf(tc,"-ERR Unknown command: \"%s\"\r\n",com);
+		}else{	
+			fprintf(tc,"-ERR Inputstring too long.\r\n");
+			sv1log ("POP C-S: Inputstring too long.");
+			fflush(tc);
 		}
-		fflush(tc);
 	}
 	fclose(tc);
 	fclose(fc);


  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V