Peter Maydell wrote:
(Also I'd like to audit that code to check
that the string really is always NUL-terminated.)
I'm glad I did that, because smhear() appears to have had in it for a decade
completely broken accounting of the space left in the reply buffer in the
case where there's a continuation line from the SMTP server.
I think this is at least potentially a security hole in that if you connect
to a malicious SMTP server it could send you lines which result in an overrun
of the (global) buffer and (maybe) execution of arbitrary code.
I don't know how much of a song-and-dance we want to make about that.
(lines 1659-1662 in rev 1.22:
http://cvs.savannah.nongnu.org/viewvc/nmh/mts/smtp/smtp.c?annotate=1.22&root=nmh#l1659
That chunk of code seems (a) to have mistaken rc for a count of bytes used
in the buffer rather than bytes of space free, and also fails to update rp.
Rev 1.23 includes my fix for it and some other less serious issues.)
-- PMM
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
http://lists.nongnu.org/mailman/listinfo/nmh-workers