Re: And another qpopper overflow (does this make 3?)

From: Aaron D. Gifford (agiffordat_private)
Date: Sun Jun 28 1998 - 13:28:21 PDT

Next message: kevin: "Bell Atlandic Mobile "Encryption""

Previous message: Todd C. Miller: "Re: Bug is sudo?"
Maybe in reply to: Aaron D. Gifford: "And another qpopper overflow (does this make 3?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Sorry,

I misread Miquel's post.  This was the overrun Miquel already mentioned.
However, limiting the UIDL to 128 in length does not completely fix it, since
a huge From: header could still cause an overrun.  Either way, I think the
solution is to limit uidl_str size AND reduce the size of the buffer in the
from_hdr() function from pop_uidl.c (as well as make the buffer static -- it
sure seems to me like it should be).

Here's what I chose to do instead of truncating uidl_str to 128 in
pop_dropcopy.c:

*** work/qpopper2.41beta1/pop_dropcopy.c        Sun Jun 28 12:58:14 1998
--- work2/qpopper2.41beta1/pop_dropcopy.c       Sun Jun 28 13:07:47 1998
*************** POP *p;
*** 489,495 ****
                    /* Skip over header string */
                    cp = &buffer[7];
                      while (*cp && (*cp == ' ' || *cp == '\t')) cp++;
!                     if(strlen(cp) < DIG_SIZE) /* To account for the empty
UIDL string */
                      {
                          uidl_found--; /*roll over as though it hasn't seen
anything*/
                          continue;
--- 489,501 ----
                    /* Skip over header string */
                    cp = &buffer[7];
                      while (*cp && (*cp == ' ' || *cp == '\t')) cp++;
!                     /*
!                      * The UIDL digest SHOULD be approx. 32 chars long,
!                      * so reject/skip any X-UIDL: lines that don't fit
!                      * this profile.  A new X-UIDL: line will be created
!                      * for any messages that don't have a valid one.
!                      */
!                     if(strlen(cp) < DIG_SIZE || strlen(cp) > DIG_SIZE * 3)
                      {
                          uidl_found--; /*roll over as though it hasn't seen
anything*/
                          continue;


And then to fix the possibility of a From: header overrunning things in
pop_uidl.c during an EUIDL command from the POP client:

*** work/qpopper2.41beta1/pop_uidl.c    Wed Nov 19 14:20:38 1997
--- work2/qpopper2.41beta1/pop_uidl.c   Sun Jun 28 13:09:56 1998
*************** from_hdr(p, mp)
*** 101,107 ****
       POP         *p;
       MsgInfoList *mp;
  {
!   char buf[MAXLINELEN], *cp;

      fseek(p->drop, mp->offset, 0);
      while (fgets(buf, sizeof(buf), p->drop) != NULL) {
--- 101,112 ----
       POP         *p;
       MsgInfoList *mp;
  {
!   /*
!    * Shorten this buffer so that an extra-long From: header
!    * won't overflow the buffers in the pop_euidl() where
!    * this function is called.  128 should be sufficient.
!    */
!   static char buf[MAXLINELEN - 128], *cp;

      fseek(p->drop, mp->offset, 0);
      while (fgets(buf, sizeof(buf), p->drop) != NULL) {




Aaron out.

Next message: kevin: "Bell Atlandic Mobile "Encryption""
Previous message: Todd C. Miller: "Re: Bug is sudo?"
Maybe in reply to: Aaron D. Gifford: "And another qpopper overflow (does this make 3?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:00:47 PDT