Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 38304 - qmail-smtpd integer overflow
Summary: qmail-smtpd integer overflow
Status: RESOLVED INVALID
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: New packages (show other bugs)
Hardware: All Linux
: High critical (vote)
Assignee: Net-Mail Packages
URL: http://www.guninski.com/qmailcrash.html
Whiteboard:
Keywords:
: 38841 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-01-15 09:39 UTC by Dizzy
Modified: 2004-01-20 14:56 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Dizzy 2004-01-15 09:39:25 UTC 
Hi

As from the URL an integer overflow exists in blast() function inside qmail-smtpd. IMO the bug is just a DOS (a very hard to exploit DOS Ill explain below) because the program should crash just after the overflow when it reads from wrong memory place I dont see how can you alter the program execution.

It is also a very hard to exploit DOS, uploading 2gb of data on a SMTP connection takes time (especially on WANs) and the crash only affects the current SMTP session, so to actually "exploit" something here one would need to make MANY SMTP connections feeding very very quickly 2GB of data on each one. If one has the resources (especially bandwidth) to do that then other DOS attacks (not related to this bug) and much more bad can be done (just opening as many SMTP sessions as possible and idling on them as much as you can).

I reported this problem because I use Gentoo in some productions systems and I trust the quality of gentoo devs to look into it and prove me if I'm wrong. In any case probably gentoo would like to make some minor patch to fix it (someone just told me RFC822 says a header line must be 1024 bytes max so bailing out when pos > 1024 while in headers would be one possible fix).


Reproducible: Always
Steps to Reproduce:
Write over 2GB of a mail header in a SMTP session.
Actual Results:  
Segmention Fault

Expected Results:  
Bail out with error (RFC822 doesnt allow > 1024 bytes mail headers).
Comment 1 SpanKY gentoo-dev 2004-01-15 09:57:48 UTC 
2 things here ...

one, from what i can tell, and please correct me if i'm wrong, this is not exploitable ... memory isnt being over written here, just indexed incorrectly under some extreme conditions

two, Georgi Guninski is a tool
Comment 2 SpanKY gentoo-dev 2004-01-15 09:58:47 UTC 
it's not even a 'valid' DoS attack because it's more of a resource attack that would happen even if qmail didnt crash at this 2gig limit
Comment 3 Dizzy 2004-01-15 10:25:00 UTC 
Also I forgot a very important detail: setting "databytes" in var/qmail/control with a reasonable number (< 2gb) fixes it :)
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-01-15 23:08:35 UTC 
firstly go and read:
http://cr.yp.to/qmail/guarantee.html
http://cr.yp.to/docs/resources.html
http://cr.yp.to/qmail/venema.html

next, it sounds like GG didn't run qmail-smtpd with softlimit as is strongly recommended by DJB (and is used in EVERY qmail build in gentoo)
'softlimit -m 8000000' -> limits memory to ~8mb

from running it against my personal mailserver, LIVE while other mail is coming in:
@4000000040078d8b1064e44c tcpserver: status: 3/20
@4000000040078d8b1300b924 tcpserver: pid 5238 from 127.0.0.1
@4000000040078d8b1319abdc tcpserver: ok 5238 localhost:::ffff:127.0.0.1:25 localhost:::ffff:127.0.0.1::38942
@4000000040078d8b24d5aa24 qmail-smtpd: Out of memory while connected to 127.0.0.1!
@4000000040078d8b24e1db3c tcpserver: end 5238 status 256

and gdb just notes that the pipe is broken, no segv or anything.
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-01-20 14:56:38 UTC 
*** Bug 38841 has been marked as a duplicate of this bug. ***