delphij's Chaos

选择chaos这个词是因为~~实在很难找到一个更合适的词来形容这儿了……

20 Jan 2004

qmail remote vulnerablity?

Today someone posted a patch to qmail 1.0.3 and pointed out this.

I have a quick patch to this issue, hope it’s correct.

A revised patch that correct the last one I posted here.

— qmail-smtpd.c.orig Mon Jan 19 23:20:38 2004
+++ qmail-smtpd.c Mon Jan 19 23:22:36 2004
@@ -305,7 +305,7 @@
*hops = 0;
flaginheader = 1;
pos = 0; flagmaybex = flagmaybey = flagmaybez = 1;

  • for (;;) {
  • for (;;((*hops) < MAXHOPS)) {
    substdio_get(&ssin,&ch,1);
    if (flaginheader) {
    if (pos < 9) {
    @@ -317,7 +317,17 @@
    if (pos < 2) if (ch != “\r\n”[pos]) flagmaybey = 0;
    if (flagmaybey) if (pos == 1) flaginheader = 0;
    }
  • ++pos;
  • if((++pos) > 1000) {
  • /*
  • * RFC 2821 has explicitly defined a text line can contain
  • * 1000 characters at maximium. This is a workaround to
  • * stop copying characters there, but I am not sure about
  • * the side effect. Consider this as an attack and set hops
  • * to MAXHOPS to prevent future processing.
  • */
  • *hops = MAXHOPS;
  • break;
  • }
    if (ch == ‘\n’) { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; }
    }
    switch(state) {