Home | Docs | Forums | Lists | Bugs | Planet | Store | GMN | Get Gentoo!
View Bug Activity | Format For Printing | XML | Clone This Bug
policyd.h defines: char buf[MAXFDS][MAXLINE]; policyd.c calls: rres = w_read(sockfd,buf[sockfd]); in sockets.c, w_read begins with: ssize_t w_read(unsigned int fd, char *ptr) { ssize_t n; size_t data_read = 0; /* for debug only */ /* receive data. disable signals are do not wait */ while ((n = recv(fd, (void *) ptr + buf_counter[fd], 1, MSG_DONTWAIT | MSG_NOSIGNAL)) == 1) ... unfortunately the while() loop can go further than the allocated size of *ptr. (by entering overly long SMTP commands, >1024 bytes). This loop needs to be changed like this, for example: ssize_t w_read(unsigned int fd, char *ptr, unsigned int w_size) while(( n = (....)) && buf_counter[fd] < w_size ){...} you also may want to properly set buf[sockfd][MAXSIZE-1] = '\n'; , that can't hurt. with a lot of connections, buf_counter[MAXFDS-1][] will be overflowed and the next variables that reside in .bss will be overwritten. This can potentialy be used to overwrite random stuff in the heap, and maybe terminate the daemon or remotely execute arbitrary code.
upstream mailed
This is public now. strerror, please provide the updated ebuild.
apologies on the delay, in cvs now
