[REVISED] Re: qmail remote root patch

[Xin LI]

The last patch I sent to the list is incomplete because it did not handle
the case where there's too many short DELIVERED or RECEIVED lines, which
still has potential to cause memory overwrites.

I hope this time the exploit potential is completely eliminated.

Cheers,
Xin LI

--- qmail-smtpd.c.orig Mon Jan 19 23:20:38 2004
+++ qmail-smtpd.c Mon Jan 19 23:22:36 2004
@@ -305,7 +305,7 @@
   *hops = 0;
   flaginheader = 1;
   pos = 0; flagmaybex = flagmaybey = flagmaybez = 1;
-  for (;;) {
+  for (;;((*hops) < MAXHOPS)) {
     substdio_get(&ssin,&ch,1);
     if (flaginheader) {
       if (pos < 9) {
@@ -317,7 +317,17 @@
         if (pos < 2) if (ch != "\r\n"[pos]) flagmaybey = 0;
         if (flagmaybey) if (pos == 1) flaginheader = 0;
       }
-      ++pos;
+      if((++pos) > 1000) {
+ /*
+ * RFC 2821 has explicitly defined a text line can contain
+ * 1000 characters at maximium. This is a workaround to
+ * stop copying characters there, but I am not sure about
+ * the side effect. Consider this as an attack and set hops
+ * to MAXHOPS to prevent future processing.
+ */
+ *hops = MAXHOPS;
+ break;
+      }
       if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez =
1; }
     }
     switch(state) {