Bug 181324 - mail-filter/policyd < 1.81 heap based buffer overflow in w_read() (CVE-2007-3791)
Bug#: 181324 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: falco@gentoo.org
Component: Vulnerabilities
URL: 
Summary: mail-filter/policyd < 1.81 heap based buffer overflow in w_read() (CVE-2007-3791)
Keywords:  
Status Whiteboard: ~1? [noglsa]
Opened: 2007-06-08 16:50 0000
Description:   Opened: 2007-06-08 16:50 0000 
policyd.h defines:

  char buf[MAXFDS][MAXLINE];

policyd.c calls:

  rres = w_read(sockfd,buf[sockfd]);

in sockets.c, w_read begins with:

ssize_t
w_read(unsigned int fd, char *ptr)
{
  ssize_t  n;
  size_t   data_read = 0;                                    /* for
debug only */

  /* receive data. disable signals are do not wait */
  while ((n = recv(fd, (void *) ptr + buf_counter[fd], 1, MSG_DONTWAIT |
MSG_NOSIGNAL)) == 1)
...



unfortunately the while() loop can go further than the allocated size of
*ptr. (by entering overly long SMTP commands, >1024 bytes).

This loop needs to be changed like this, for example:

ssize_t w_read(unsigned int fd, char *ptr, unsigned int w_size)
while(( n = (....)) && buf_counter[fd] < w_size ){...}

you also may want to properly set buf[sockfd][MAXSIZE-1] = '\n'; , that
can't hurt.

with a lot of connections, buf_counter[MAXFDS-1][] will be overflowed
and the next variables that reside in .bss will be overwritten. This can
potentialy be used to overwrite random stuff in the heap, and maybe
terminate the daemon or remotely execute arbitrary code.

------- Comment #1 From Raphael Marichez 2007-06-08 16:51:33 0000 ------- 
upstream mailed

------- Comment #2 From Pierre-Yves Rofes 2007-07-29 21:52:40 0000 ------- 
This is public now. strerror, please provide the updated ebuild.

------- Comment #3 From Benjamin Smee (strerror) (RETIRED) 2007-07-30 00:58:45 0000 ------- 
apologies on the delay, in cvs now