From owner-freebsd-bugs Thu Sep 30 21:40:10 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 5F3C114CB4 for ; Thu, 30 Sep 1999 21:40:06 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id VAA69483; Thu, 30 Sep 1999 21:40:06 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from alcanet.com.au (border.alcanet.com.au [203.62.196.10]) by hub.freebsd.org (Postfix) with ESMTP id 6014614C06 for ; Thu, 30 Sep 1999 21:39:22 -0700 (PDT) (envelope-from jeremyp@gsmx07.alcatel.com.au) Received: by border.alcanet.com.au id <40354>; Fri, 1 Oct 1999 14:36:12 +1000 Message-Id: <99Oct1.143612est.40354@border.alcanet.com.au> Date: Fri, 1 Oct 1999 14:39:16 +1000 From: Peter Jeremy Reply-To: peter.jeremy@alcatel.com.au To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: bin/14069: Buffer overflow in mail(1) Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 14069 >Category: bin >Synopsis: Buffer overflow in mail(1) >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Thu Sep 30 21:40:01 PDT 1999 >Closed-Date: >Last-Modified: >Originator: Peter Jeremy >Release: FreeBSD 4.0-CURRENT i386 >Organization: Alcatel Australia Limited >Environment: cvs-cur 5710 >Description: Mail(1) gets SIGSEGV whilst processing mailbox. >How-To-Repeat: Create a file containing the following (between the '===') and feed it to mail with `mail -f file'. (The mail addresses have been munged both to protect the guilty and to enable the location of the failure to be more accurately identified). Mail reports: Mail version 8.1 6/6/93. Type ? for help. "file": 1 message 1 new zsh: segmentation fault (core dumped) ================================================================ From aZZYZ.XZWZV@ZUZTZSZ.RZQ.ZP Mon Sep 27 18:11:11 1999 Return-Path: Received: from ZDZCZB.ZAZzZyZ.xZw.Zv (ZuZtZs.ZrZqZpZ.oZn.Zm [139.188.20.1]) by ZlZkZj.ZiZhZgZ.fZe.Zd (8.9.3/8.9.3) with ESMTP id SAA17296 for ; Mon, 27 Sep 1999 18:11:10 +1000 (EST) (envelope-from SYRYQ.YPYOY@NYMYLYK.YJY.IY) Received: from HYGY.FYE.YDYCYBY.AYz.Yy (mfg1 [139.188.23.1]) by YxYwYv.YuYtYsY.rYq.Yp (8.8.8/8.7.3) with ESMTP id SAA15285 for ; Mon, 27 Sep 1999 18:11:10 +1000 (EST) Received: from YfYeYd.YcYbYaX.XWX.VX by UXT.XSXRXQX.PXO.XN (PMDF V5.2-32 #37641) with ESMTP id <01JGH2YWZRSWBL6YMG@XMX.LXKXJXI.XHX.GX> for jeremyp@FXEXDX.CXBXAXz.XyX.xX (ORCPT rfc822;wXvXu.XtXsXr@XqXpXoX.nXm.Xl) ; Mon, 27 Sep 1999 18:09:45 +1000 Received: (from prdadm@localhost) by XkXjXi.XhXgXfX.eXd.Xc (AIX4.3/UCB 8.8.8/8.8.8) id SAA27452 for XbXaW.WVWUWT@WSWRWQW.PWO.WN; Mon, 27 Sep 1999 18:05:26 +1000 Date: Mon, 27 Sep 1999 18:05:26 +1000 From: WMWLW.KWJWI@WHWGWFW.EWD.WC (KYLIE SMITH) Subject: Notification of future termination xxxxxxxx To: WBW_AWzWyWxW@wWvWuW.tWsWrWq.WpW.oW To: nWm_WlWkWjWi@WhWgWf.WeWdWcW.bWa.VV To: UVT_VS@VRVQVP.VOVNVMV.LVK.VJ To: VIV_HVGVFVE@VDVCVB.VAVzVyV.xVw.Vv To: VuV_tVsVrVqV@pVoVnV.mVlVkVj.ViV.hV To: gVf_VeVdV@cVbVaU.UTUSURU.QUP.UO To: UNU_MULUKU@JUIUHU.GUFUEUD.UCU.BU To: AUz_UyUxUw@UvUuUt.UsUrUqU.pUo.Un To: UmU_lU@kUjUiU.hUgUfUe.UdU.cU To: bUa_TTSTRTQT@PTOTNT.MTLTKTJ.TIT.HT To: GTFTETDT.CTBTAT@zTyTxTw.TvT.uT To: tTsTr.TqTpTo@TnTmTlT.kTj.Ti To: ThTgTfT.eTdTcT@bTaSSRS.QSP.SO To: SNSMSLSKSJ.SISHSGS@FSESDSC.SBS.AS To: zSySxSwS.vSuStS@sSrSqSp.SoS.nS To: mSlSkS.jS@iShSgSf.SeS.dS To: cSbS.aRRQR@PRORNRM.RLR.KR To: JRIRH.RGR@FRERDRC.RBR.AR To: zRyRx.RwRv@RuRtRsR.rRq.Rp To: RoRnRmRl.RkRjRi@RhRgRfR.eRd.Rc To: RbRa.QQPQOQNQ@MQLQKQJ.QIQ.HQ To: GQFQEQDQCQ.BQAQzQy@QxQwQvQ.uQt.Qs To: QrQqQp.QoQnQmQ@lQkQjQi.QhQ.gQ To: fQeQdQcQbQa.PPOPNPMPLP@KPJPIPH.PGP.FP To: EPDPCPBP.APzP@yPxPwPv.PuP.tP To: sPr.PqPpP@oPnPmPl.PkP.jP To: iPhPgP.fPePd@PcPbPaO.ONO.MO To: LOK.OJO@IOHOGOF.OEO.DO To: COBO.AOzOyOxOw@OvOuOtO.sOr.Oq To: OpOoOn.OmOlOkOjOiOhO@gOfOeOd.OcO.bO To: aNNMN.LNKNJN@INHNGNF.NEN.DN To: CNBNA.NzNyN@xNwNvNu.NtN.sN To: rNqN.pNoNnNmN@lNkNjNi.NhN.gN To: fNeN.dNcNb@NaMMLMK.MJM.IM Reply-to: HMGMF.MEMDM@CMBMAMz.MyM.xM (KYLIE SMITH) Message-id: MIME-version: 1.0 X-Mailer: SAP R/3 Internet Mail Gateway 3.1I8 Content-type: TEXT/PLAIN; CHARSET="ISO-8859-1" Content-transfer-encoding: 7BIT Termination Date : 01.10.1999 Employee No: xxxxxxxx UPI: ZZxxxxxxx Employee Name : Xxxxx Xxxxxxx Xxxxxx Work Address : A.2/1F . Phone Extension : Position title : xxxxxxxx xxxxxxx xxxxxxxxxx Department : xxxxxxxxxx xxxxxxxxxx xxxxxxxxxx Supervisor : Zxxxx Yttttt ================================================================ Invoking gdb on the core file shows %ebp contains 0x4d492e4d, which is "M.IM" after byte reversal. This appears in the last `To:' address above. >Fix: The work-around I implemented was: # cd /usr/ports/mail/mutt # make # make install :-) I found (and fixed) what appeared to be a number of potential buffer overflows in copyin(), nextword() and parse() (all of which take char array with no size as an argument). This didn't help. Further investigation with gdb shows that skin() reads arbitrarily-sized input into a fixed size buffer. A quick fix for this is below. This fixed my problem with the above message, but I don't know if it's safe in general. Index: aux.c =================================================================== RCS file: /home/CVSROOT/src/usr.bin/mail/aux.c,v retrieving revision 1.4 diff -u -r1.4 aux.c --- aux.c 1997/07/24 06:56:33 1.4 +++ aux.c 1999/10/01 04:32:09 @@ -456,7 +456,7 @@ register char *cp, *cp2; char *bufend; int gotlt, lastsp; - char nbuf[BUFSIZ]; + char *nbuf = alloca(strlen(name)); if (name == NOSTR) return(NOSTR); Peter -- Peter Jeremy (VK2PJ) peter.jeremy@alcatel.com.au Alcatel Australia Limited 41 Mandible St Phone: +61 2 9690 5019 ALEXANDRIA NSW 2015 Fax: +61 2 9690 5982 >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message