From owner-freebsd-hackers@FreeBSD.ORG  Mon Jan 19 05:41:10 2004
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E263D16A4CE
	for <freebsd-hackers@freebsd.org>;
	Mon, 19 Jan 2004 05:41:10 -0800 (PST)
Received: from ftp.bjpu.edu.cn (ftp.bjpu.edu.cn [202.112.78.5])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8C22243D41
	for <freebsd-hackers@freebsd.org>;
	Mon, 19 Jan 2004 05:41:09 -0800 (PST)
	(envelope-from delphij@frontfree.net)
Received: by ftp.bjpu.edu.cn (Postfix, from userid 426)
	id 89DE852D4; Mon, 19 Jan 2004 21:41:08 +0800 (CST)
Received: from beastie.frontfree.net (beastie.frontfree.net [218.107.145.7])
	by ftp.bjpu.edu.cn (Postfix) with ESMTP id 6BBFD5299
	for <freebsd-hackers@freebsd.org>;
	Mon, 19 Jan 2004 21:41:08 +0800 (CST)
Received: by beastie.frontfree.net (Postfix, from userid 426)
	id 41000114BB; Mon, 19 Jan 2004 21:41:07 +0800 (CST)
Received: from phantasm205 (unknown [61.49.184.36])
	(using TLSv1 with cipher RC4-MD5 (128/128 bits))
	(No client certificate requested)
	by beastie.frontfree.net (Postfix) with ESMTP
	id 384191142B; Mon, 19 Jan 2004 21:41:05 +0800 (CST)
Message-ID: <010e01c3de91$e6daa9a0$0401a8c0@phantasm205>
From: "Xin LI" <delphij@frontfree.net>
To: "Anton Alin-Adrian" <aanton@reversedhell.net>,
	<freebsd-hackers@freebsd.org>
References: <400BD0CE.6050609@reversedhell.net>
Date: Mon, 19 Jan 2004 21:41:07 +0800
Organization: Phantasm Studio
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.3790.0
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.0
Subject: Re: qmail remote root patch
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jan 2004 13:41:11 -0000

On page 54 of RFC2821, a text line should be shorter than 1000 characters if
I did not misunderstood it. So I'd proposal the following patch, which
mitigate the issue by rejecting anything which contains RFC-violation.

Cheers,
Xin LI


--- qmail-smtpd.c.orig Mon Jan 19 21:08:35 2004
+++ qmail-smtpd.c Mon Jan 19 21:38:31 2004
@@ -317,7 +317,17 @@
         if (pos < 2) if (ch != "\r\n"[pos]) flagmaybey = 0;
         if (flagmaybey) if (pos == 1) flaginheader = 0;
       }
-      ++pos;
+      if((++pos) > 1000) {
+ /*
+ * RFC 2821 has explicitly defined a text line can contain
+ * 1000 characters at maximium. This is a workaround to
+ * stop copying characters there, but I am not sure about
+ * the side effect. Consider this as an attack and set hops
+ * to MAXHOPS to prevent future processing.
+ */
+ *hops = MAXHOPS;
+ break;
+      }
       if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez =
1; }
     }
     switch(state) {