Hi As from the URL an integer overflow exists in blast() function inside qmail-smtpd. IMO the bug is just a DOS (a very hard to exploit DOS Ill explain below) because the program should crash just after the overflow when it reads from wrong memory place I dont see how can you alter the program execution. It is also a very hard to exploit DOS, uploading 2gb of data on a SMTP connection takes time (especially on WANs) and the crash only affects the current SMTP session, so to actually "exploit" something here one would need to make MANY SMTP connections feeding very very quickly 2GB of data on each one. If one has the resources (especially bandwidth) to do that then other DOS attacks (not related to this bug) and much more bad can be done (just opening as many SMTP sessions as possible and idling on them as much as you can). I reported this problem because I use Gentoo in some productions systems and I trust the quality of gentoo devs to look into it and prove me if I'm wrong. In any case probably gentoo would like to make some minor patch to fix it (someone just told me RFC822 says a header line must be 1024 bytes max so bailing out when pos > 1024 while in headers would be one possible fix). Reproducible: Always Steps to Reproduce: Write over 2GB of a mail header in a SMTP session. Actual Results: Segmention Fault Expected Results: Bail out with error (RFC822 doesnt allow > 1024 bytes mail headers).
2 things here ... one, from what i can tell, and please correct me if i'm wrong, this is not exploitable ... memory isnt being over written here, just indexed incorrectly under some extreme conditions two, Georgi Guninski is a tool
it's not even a 'valid' DoS attack because it's more of a resource attack that would happen even if qmail didnt crash at this 2gig limit
Also I forgot a very important detail: setting "databytes" in var/qmail/control with a reasonable number (< 2gb) fixes it :)
firstly go and read: http://cr.yp.to/qmail/guarantee.html http://cr.yp.to/docs/resources.html http://cr.yp.to/qmail/venema.html next, it sounds like GG didn't run qmail-smtpd with softlimit as is strongly recommended by DJB (and is used in EVERY qmail build in gentoo) 'softlimit -m 8000000' -> limits memory to ~8mb from running it against my personal mailserver, LIVE while other mail is coming in: @4000000040078d8b1064e44c tcpserver: status: 3/20 @4000000040078d8b1300b924 tcpserver: pid 5238 from 127.0.0.1 @4000000040078d8b1319abdc tcpserver: ok 5238 localhost:::ffff:127.0.0.1:25 localhost:::ffff:127.0.0.1::38942 @4000000040078d8b24d5aa24 qmail-smtpd: Out of memory while connected to 127.0.0.1! @4000000040078d8b24e1db3c tcpserver: end 5238 status 256 and gdb just notes that the pipe is broken, no segv or anything.
*** Bug 38841 has been marked as a duplicate of this bug. ***