nmh-workers
[Top] [All Lists]

[Nmh-workers] 1.1RC4: buffer overrun in scan

2005-11-05 18:52:25
Watch:

mnementh$ gdb ./scan
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...Using host libthread_db library 
"/lib/libthread_db.so.1".

(gdb) run -width 16536 -file /tmp/bad.txt
Starting program: /home/pm215/junk/nmh-from-cvs/uip/scan -width 16536 -file 
/tmp/bad.txt

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

The file in question is available at

http://www.chiark.greenend.org.uk/~pmaydell/misc/bad.txt

It's got a 16K long From field, all on one line. This would probably
be tricky to get through MTAs without something folding it, however:

http://www.chiark.greenend.org.uk/~pmaydell/misc/bad2047.txt

is a folded From header and also crashes. (The presence of the RFC2047
encoded bit seems to be necessary in the folded case: perhaps there are
two overruns...)

This seems to have been in nmh for some time: a 1.0.4 I had also exhibits
the bug. This would be a remote exploit if you were in the habit of
running scan with ludicrously high width parameters. (Not quite so
implausible as you might think, since an easy way to get untruncated
headers in a script is to run scan with a large -width and look at the
result, but 16K is pretty silly even for that.)

I think this ought to be fixed for 1.2, but I don't know if I'll have
time to investigate before next week. Preliminary investigation suggests
that at least one of the problems is decode_rfc2047(), whose API is
totally broken since it has to be passed a preallocated buffer but
doesn't let the caller specify the length of the buffer...

On the bright side, I've now checked in fixes for all the other things
I thought needed to be fixed for 1.2...

-- PMM


_______________________________________________
Nmh-workers mailing list
Nmh-workers@nongnu.org
http://lists.nongnu.org/mailman/listinfo/nmh-workers

<Prev in Thread] Current Thread [Next in Thread>