Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm
Date: Wed, 15 Dec 2004 00:39:04 -0800
From: Philip Brown <phil@bolthole.com>
To: securesoftware@list.cr.yp.to
Subject: Re: [remote] [control] elm/bolthole filter 2.6.1 save_embedded_address overflows address buffer
Message-ID: <20041215003904.A99495@bolthole.com>
References: <20041215081636.20609.qmail@cr.yp.to>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5.1i
In-Reply-To: <20041215081636.20609.qmail@cr.yp.to>; from djb@cr.yp.to on Wed, Dec 15, 2004 at 08:16:36AM -0000

On Wed, Dec 15, 2004 at 08:16:36AM -0000, D. J. Bernstein wrote:
>...
> Here's the bug: In filter.c, save_embedded_address() copies any amount
> of data into an address[LONG_STRING] array.

Thank you for the notice. I believe the patch below, fixes the hole.
I shall be releasing filter 2.6.2 to address this, which will be just
filter 2.6.1 plus this patch.

--- filter.c.orig	2004-12-15 00:37:59.305552000 -0800
+++ filter.c	2004-12-15 00:34:46.823383000 -0800
@@ -785,19 +785,22 @@
 	register int i, j = 0;
 
 	/** first let's extract the address from this line.. **/
+	/* Note that if buffer is obnoxiously long, we may truncate*/
 
 	if (buffer[strlen(buffer)-1] == '>') {	/* case #1 */
 	  for (i=strlen(buffer)-1; buffer[i] != '<' && i > 0; i--)
 		/* nothing - just move backwards .. */ ;
 	  i++;	/* skip the leading '<' symbol */
-	  while (buffer[i] != '>')
+	  while ((buffer[i] != '>') && (j < (LONG_STRING-1) )){
 	    address[j++] = buffer[i++];
+	  }
 	  address[j] = '\0';
 	}
 	else {	/* get past "from:" and copy until white space or paren hit */
 	  for (i=strlen(fieldname); whitespace(buffer[i]); i++)
 	     /* skip past that... */ ;
-	  while (buffer[i] != '(' && ! whitespace(buffer[i]) && buffer[i]!='\0')
+	  while (buffer[i] != '(' && ! whitespace(buffer[i]) &&
+	         buffer[i]!='\0' && (j < (LONG_STRING-1) ))
 	    address[j++] = buffer[i++];
 	  address[j] = '\0';
 	}