Peter Maydell wrote:
I'm glad I did that, because smhear() appears to have had in it for a decade
completely broken accounting of the space left in the reply buffer in the
case where there's a continuation line from the SMTP server.
I think this is at least potentially a security hole in that if you connect
to a malicious SMTP server it could send you lines which result in an overrun
of the (global) buffer and (maybe) execution of arbitrary code.
Closer examination of the surrounding code leads me to think that you
can't overrun the buffer by more than a few bytes (you can't get to
the offending bit of code more than once even in a multi-line SMTP
response). So it's not as bad as I'd feared it might be, and I don't
think it's exploitable.
-- PMM
_______________________________________________
Nmh-workers mailing list
Nmh-workers(_at_)nongnu(_dot_)org
http://lists.nongnu.org/mailman/listinfo/nmh-workers