diff options
| author | Gilles Chehade <gilles@cvs.openbsd.org> | 2015-10-02 00:29:52 +0000 |
|---|---|---|
| committer | Gilles Chehade <gilles@cvs.openbsd.org> | 2015-10-02 00:29:52 +0000 |
| commit | 76a90522f1034be6037b9468d821a1471d0b9e87 (patch) | |
| tree | c70ebe07a7400d76133ac63176c5fb6248cdbaf9 /usr.sbin/smtpd/lka_session.c | |
| parent | d3f5954c30277ac74c0ae9d1d4afd611e7054d00 (diff) | |
fix a stack-based buffer overflow in the token expansion code of the lookup
process (unprivileged), allowing a local user to crash the server or
potentially execute arbitrary code.
reported by Qualys Security
Diffstat (limited to 'usr.sbin/smtpd/lka_session.c')
| -rw-r--r-- | usr.sbin/smtpd/lka_session.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/usr.sbin/smtpd/lka_session.c b/usr.sbin/smtpd/lka_session.c index 8a78703cbc8..0996d66e236 100644 --- a/usr.sbin/smtpd/lka_session.c +++ b/usr.sbin/smtpd/lka_session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: lka_session.c,v 1.69 2015/01/20 17:37:54 deraadt Exp $ */ +/* $OpenBSD: lka_session.c,v 1.70 2015/10/02 00:29:51 gilles Exp $ */ /* * Copyright (c) 2011 Gilles Chehade <gilles@poolp.org> @@ -800,6 +800,10 @@ lka_expand_format(char *buf, size_t len, const struct envelope *ep, if (exptoklen == 0) return 0; + /* writing expanded token at ptmp will overflow tmpbuf */ + if (sizeof (tmpbuf) - (ptmp - tmpbuf) <= exptoklen) + return 0; + memcpy(ptmp, exptok, exptoklen); pbuf = ebuf + 1; ptmp += exptoklen; |