Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY LINKS NEWS MAN DOCUMENTATION

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Date: 28 Apr 2002 19:21:14 -0000
From: Marcell Fodor <[email protected]>
To: [email protected]
Subject: QPopper 4.0.4 buffer overflow



Affected versions 4.0.3 and 4.0.4. default install.
Servers, not processing user`s configuration file 
(~/.qpopper-options) are insensible to this bug.

pop_bull.c
-----------
int
CopyOneBull ( POP *p, long bnum, char *name )
{
    FILE          *bull;
    char           buffer [ MAXMSGLINELEN ];
    BOOL           in_header            = TRUE;
    BOOL           first_line           = TRUE;
    int            nchar; 
    int            msg_num;
    int            msg_vis_num          = 0;
    int            msg_ends_in_nl       = 0;
    char           bullName [ 256 ];
    MsgInfoList   *mp;
.
.
.
    sprintf ( bullName, "%s/%s", p->bulldir, name );
------------

The bullNmae buffer is 256 bytes long, but in the user`s 
config file
you can define it up to MAXLINELEN-1-sizeof("set 
bulldir=") 1010 bytes.

~/.qpopper-options
--------------
set bulldir=AAAAAAAAAAA.....AAAAAAAAAAAAAAA
--------------

more info: http://mantra.freeweb.hu

Regards,

Marcell Fodor

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>

Партнёры:

Хостинг: