dave@onfcanim.UUCP (10/30/87)
Subject: /bin/mail overflows buffer, trashes stack +fix
Index: bin/mail.c 4.3BSD
Description:
Sendmail uses /bin/mail to deliver local mail, passing it the
return address in the arg list. Mail then copies it into a
100-byte buffer without checking for overflow. Long return
addresses trash the stack, producing a variety of potential
behaviours. Here, a particular address caused it to go into
an infinite loop.
Repeat-By:
Try /bin/mail -r <very long address, say 150 bytes> <yourname>
Fix:
Make "truename" a pointer, since it doesn't seem to need a copy
of the string.
*** mail.old Fri Oct 30 10:29:51 1987
--- mail.c Fri Oct 30 10:55:27 1987
***************
*** 418,424 ****
bulkmail(argc, argv)
char **argv;
{
! char truename[100];
int first;
register char *cp;
int gaver = 0;
--- 418,424 ----
bulkmail(argc, argv)
char **argv;
{
! char *truename;
int first;
register char *cp;
int gaver = 0;
***************
*** 448,454 ****
exit(EX_UNAVAILABLE);
}
- truename[0] = 0;
line[0] = '\0';
/*
--- 448,453 ----
***************
*** 464,470 ****
if (argc <= 1)
usage();
gaver++;
! strcpy(truename, argv[1]);
fgets(line, LSIZE, stdin);
if (strcmpn("From", line, 4) == 0)
line[0] = '\0';
--- 463,469 ----
if (argc <= 1)
usage();
gaver++;
! truename = argv[1];
fgets(line, LSIZE, stdin);
if (strcmpn("From", line, 4) == 0)
line[0] = '\0';
***************
*** 490,496 ****
if (argc <= 1)
usage();
if (gaver == 0)
! strcpy(truename, my_name);
time(&iop);
fprintf(tmpf, "%s%s %s", from, truename, ctime(&iop));
iop = ftell(tmpf);
--- 489,495 ----
if (argc <= 1)
usage();
if (gaver == 0)
! truename = my_name;
time(&iop);
fprintf(tmpf, "%s%s %s", from, truename, ctime(&iop));
iop = ftell(tmpf);