On Tue, May 17, 2011 at 5:40 PM, John R. Levine <johnl(_at_)iecc(_dot_)com>
wrote:
How can:
log_write(0, LOG_MAIN, (char *)logmsg)
be used to arbitrarily inject code? I understand the concept, but
having % in the logmsg with no parameters to feed it seems harmless to
me.
It took random junk off the stack which presumably overflowed a buffer.
I found it because one of my users (someone you know)
yes, a certain Canadian.
was complaining that
all of the mail he sent to a site that uses Exim was disappearing. I got
them to look at the logs and found they were logging the DKIM signatures and
then barfing.
See http://bugs.exim.org/show_bug.cgi?id=1106
yep, I saw that.
Passing an unchecked string as a printf format is an ancient unix bug.
Ah, so vargs type stuff. Still, I'll have to run it through a debugger
myself to understand. I would think one would have a loop of some
sort. I would of thought if there were no args it would just end.
(oh, I see Hector has some input too)
--
Jeff Macdonald
Ayer, MA
_______________________________________________
dkim-ops mailing list
dkim-ops(_at_)mipassoc(_dot_)org
http://mipassoc.org/mailman/listinfo/dkim-ops