----- Original Message ----- From: "KF" <dotslashat_private> Subject: Buffer overflow potential in centerICQ mail handling > > CenterICQ installed from centericq-4.7.2-3.rh7.rpm or > centericq-4.7.2.tar.gz has a potential buffer overflow in the mail handling > > Fix: > src/hooks/msnhook.cc > sprintf(buf, _("+ [msn] e-mail from %s <%s>, %s"), > mail->from, mail->fromaddr, mail->subject); > > snprintf(buf, 1023,_("+ [msn] e-mail from %s <%s>, %s"), > mail->from, mail->fromaddr, mail->subject); > > Info: > > Msnhook:: mailed is passed "data"... data.frromaddr combined with > data.subject can trigger a buffer overflow due to their size being dynamic. > > void msnhook::mailed(void *data) { > MSN_MailNotification *mail = (MSN_MailNotification *) data; > > if(mail->from) { > char buf[1024]; > > sprintf(buf, _("+ [msn] e-mail from %s <%s>, %s"), > mail->from, mail->fromaddr, mail->subject); > ... > > } > > The "data" comes from code in ./libmsn-0.1/msn_commands.cc which parses > an email message and extracts info from the messages in particular the > "From-Addr" and "Subject" fields which get stuffed into buf which is > only 1024 chars in length. > ... > else if (strstr(mimeInfo, "text/x-msmsgsemailnotification")) { > char *tmp = strstr(im, "From: ") + strlen("From: "); > MSN_MailNotification data; > > data.from = tmp; > tmp = strstr(data.from, "\r\n"); *tmp = '\0'; > DecodeMime(data.from); > ... > data.subject = strstr(tmp + 1, "Subject: ") + strlen("Subject: "); > tmp = strstr(data.subject, "\r\n"); *tmp = '\0'; > DecodeMime(data.subject); > ... > data.fromaddr = strstr(tmp + 1, "From-Addr: ") + strlen("From-Addr: "); > tmp = strstr(data.fromaddr, "\r\n"); *tmp = '\0'; > > -KF >
This archive was generated by hypermail 2b30 : Wed Jul 10 2002 - 12:40:52 PDT