Summary: | qmail-smtpd integer overflow | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Dizzy <dizzy> |
Component: | New packages | Assignee: | Net-Mail Packages <net-mail+disabled> |
Status: | RESOLVED INVALID | ||
Severity: | critical | CC: | rajiv, robbat2, vapier |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.guninski.com/qmailcrash.html | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Dizzy
2004-01-15 09:39:25 UTC
2 things here ... one, from what i can tell, and please correct me if i'm wrong, this is not exploitable ... memory isnt being over written here, just indexed incorrectly under some extreme conditions two, Georgi Guninski is a tool it's not even a 'valid' DoS attack because it's more of a resource attack that would happen even if qmail didnt crash at this 2gig limit Also I forgot a very important detail: setting "databytes" in var/qmail/control with a reasonable number (< 2gb) fixes it :) firstly go and read: http://cr.yp.to/qmail/guarantee.html http://cr.yp.to/docs/resources.html http://cr.yp.to/qmail/venema.html next, it sounds like GG didn't run qmail-smtpd with softlimit as is strongly recommended by DJB (and is used in EVERY qmail build in gentoo) 'softlimit -m 8000000' -> limits memory to ~8mb from running it against my personal mailserver, LIVE while other mail is coming in: @4000000040078d8b1064e44c tcpserver: status: 3/20 @4000000040078d8b1300b924 tcpserver: pid 5238 from 127.0.0.1 @4000000040078d8b1319abdc tcpserver: ok 5238 localhost:::ffff:127.0.0.1:25 localhost:::ffff:127.0.0.1::38942 @4000000040078d8b24d5aa24 qmail-smtpd: Out of memory while connected to 127.0.0.1! @4000000040078d8b24e1db3c tcpserver: end 5238 status 256 and gdb just notes that the pipe is broken, no segv or anything. |