Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 5 Oct 2015 09:57:32 +0200
From: Gilles Chehade <gilles@...lp.org>
To: "Jason A. Donenfeld" <Jason@...c4.com>
Cc: misc <misc@...nsmtpd.org>,
	oss-security <oss-security@...ts.openwall.com>
Subject: Re: Remotely triggerable buffer overflow in OpenSMTPD

On Mon, Oct 05, 2015 at 12:38:50AM +0200, Jason A. Donenfeld wrote:
> Hi folks,
> 
> I'm passing the gauntlet for anyone who wants to analyze this for
> impact etc. There's a remotely triggerable buffer overflow in
> OpenBSD's OpenSMTPD -- the latest version, 5.7.2 -- reachable by
> sending messages with huge header lines. Qualys recently published a
> result of a big audit, but it seems like they based their
> investigations primarily on an older version of OpenSMTPD that didn't
> have as much of the "filter" infrastructure. I'd recommend interested
> parties spend some time looking through the filter code, as there
> could be more problems. Here's a vulnerability in the filter io path:
> 

This affects the 5.7.x branch, we'll publish a fixed release shortly.

Here's the diff to fix the issue until we've prepared the release.


diff --git a/smtpd/filter.c b/smtpd/filter.c
index 062f00f..8af6eab 100644
--- a/smtpd/filter.c
+++ b/smtpd/filter.c
@@ -726,7 +726,6 @@ filter_tx_io(struct io *io, int evt)
 	struct filter_session	*s = io->arg;
 	size_t			 len, n;
 	char			*data;
-	char			buf[65535];
 
 	log_trace(TRACE_FILTERS, "filter: filter_tx_io(%p, %s)", s, io_strevent(evt));
 
@@ -734,10 +733,9 @@ filter_tx_io(struct io *io, int evt)
 	case IO_DATAIN:
 		data = iobuf_data(&s->ibuf);
 		len = iobuf_len(&s->ibuf);
-		memmove(buf, data, len);
-		buf[len] = 0;
-		log_trace(TRACE_FILTERS, "filter: filter_tx_io: datain (%zu) for req %016"PRIx64": %s",
-		    len, s->id, buf);
+
+		log_trace(TRACE_FILTERS, "filter: filter_tx_io: datain (%zu) for req %016"PRIx64"",
+		    len, s->id);
 
 		n = fwrite(data, 1, len, s->ofile);
 		if (n != len) {



-- 
Gilles Chehade

https://www.poolp.org                                          @poolpOrg

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ