Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm Delivered-To: mailing list securesoftware@list.cr.yp.to Received: (qmail 26382 invoked from network); 15 Nov 2001 02:51:02 -0000 Received: from muncher.math.uic.edu (131.193.178.181) by thoth.math.uic.edu with SMTP; 15 Nov 2001 02:51:02 -0000 Received: (qmail 19957 invoked by uid 1002); 14 Nov 2001 23:57:28 -0000 Delivered-To: list-securesoftware@list.cr.yp.to Received: (qmail 7978 invoked by uid 1001); 14 Nov 2001 23:57:28 -0000 Date: 14 Nov 2001 23:57:28 -0000 Message-ID: <20011114235728.26773.qmail@cr.yp.to> Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html. From: "D. J. Bernstein" To: securesoftware@list.cr.yp.to Subject: [remote] [kill] postfix smtpd can chew up all your memory Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline This is almost too funny for words. You may recall that Wietse Venema, kicking off a mud-slinging campaign to promote Postfix in June 1997, blamed qmail-smtpd for allocating memory up to the resource limits set by the system administrator. You may also recall part of my public response at the time: Venema seems to think that it's better design to have separate code in each program to impose configurable artificial limits on every dynamically allocated structure for network data. Idiocy. Later, when I wrote http://cr.yp.to/qmail/venema.html, I expanded ``Idiocy'' into ``I think that this is remarkably bad engineering.'' The reasons are obvious to any competent programmer: Venema's approach is vastly more complicated and error-prone than system resource limits. Guess what? Venema forgot to put an artificial limit on Postfix's dynamically allocated SMTP session log. If the system administrator doesn't have resource limits, an attacker can trivially convince Postfix's smtpd to use all available memory. Many other programs will then die because they don't have enough memory. This was reported for Postfix version 20010228-pl05. Apparently it applies to all Postfix versions. Venema comments that earlier versions would clear the log ``after each successful delivery,'' but there's no reason that the attacker has to allow a successful delivery. Is Venema going to make as much of a fuss about this as he made about qmail-smtpd? Is he going to post ``exploits,'' send messages to bugtraq, and try to have entries added to vulnerability databases? Stay tuned. I'll content myself with ROTFLMAO. ---Dan