[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Nmh-workers] nmh 1.2 failed in doing smtp authentication
|
From: |
Peter Maydell |
|
Subject: |
Re: [Nmh-workers] nmh 1.2 failed in doing smtp authentication |
|
Date: |
Thu, 01 May 2008 09:52:48 +0100 |
Peter Maydell wrote:
>I'm glad I did that, because smhear() appears to have had in it for a decade
>completely broken accounting of the space left in the reply buffer in the
>case where there's a continuation line from the SMTP server.
>
>I think this is at least potentially a security hole in that if you connect
>to a malicious SMTP server it could send you lines which result in an overrun
>of the (global) buffer and (maybe) execution of arbitrary code.
Closer examination of the surrounding code leads me to think that you
can't overrun the buffer by more than a few bytes (you can't get to
the offending bit of code more than once even in a multi-line SMTP
response). So it's not as bad as I'd feared it might be, and I don't
think it's exploitable.
-- PMM
- Re: [Nmh-workers] nmh 1.2 failed in doing smtp authentication,
Peter Maydell <=