Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm
Delivered-To: mailing list securesoftware@list.cr.yp.to
Received: (qmail 26382 invoked from network); 15 Nov 2001 02:51:02 -0000
Received: from muncher.math.uic.edu (131.193.178.181)
  by thoth.math.uic.edu with SMTP; 15 Nov 2001 02:51:02 -0000
Received: (qmail 19957 invoked by uid 1002); 14 Nov 2001 23:57:28 -0000
Delivered-To: list-securesoftware@list.cr.yp.to
Received: (qmail 7978 invoked by uid 1001); 14 Nov 2001 23:57:28 -0000
Date: 14 Nov 2001 23:57:28 -0000
Message-ID: <20011114235728.26773.qmail@cr.yp.to>
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.
From: "D. J. Bernstein" <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to
Subject: [remote] [kill] postfix smtpd can chew up all your memory
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

This is almost too funny for words.

You may recall that Wietse Venema, kicking off a mud-slinging campaign
to promote Postfix in June 1997, blamed qmail-smtpd for allocating
memory up to the resource limits set by the system administrator.

You may also recall part of my public response at the time:

   Venema seems to think that it's better design to have separate code
   in each program to impose configurable artificial limits on every
   dynamically allocated structure for network data. Idiocy.

Later, when I wrote http://cr.yp.to/qmail/venema.html, I expanded
``Idiocy'' into ``I think that this is remarkably bad engineering.'' The
reasons are obvious to any competent programmer: Venema's approach is
vastly more complicated and error-prone than system resource limits.

Guess what? Venema forgot to put an artificial limit on Postfix's
dynamically allocated SMTP session log. If the system administrator
doesn't have resource limits, an attacker can trivially convince
Postfix's smtpd to use all available memory. Many other programs will
then die because they don't have enough memory.

This was reported for Postfix version 20010228-pl05. Apparently it
applies to all Postfix versions. Venema comments that earlier versions
would clear the log ``after each successful delivery,'' but there's no
reason that the attacker has to allow a successful delivery.

Is Venema going to make as much of a fuss about this as he made about
qmail-smtpd? Is he going to post ``exploits,'' send messages to bugtraq,
and try to have entries added to vulnerability databases? Stay tuned.
I'll content myself with ROTFLMAO.

---Dan