ssmtp dies with standardise() -- Buffer overflow
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ssmtp (Ubuntu) |
Fix Released
|
Undecided
|
Nicolas Valcarcel |
Bug Description
Binary package hint: ssmtp
A line which begins with a period ('.') and is BUZ_SZ - 1 (e.g. 2047) or longer in length (not counting \n) will die() with:
ssmtp: standardise() -- Buffer overflow
This is a specific case. The general case is if a buffer passed into standardise() begins with a period and is BUF_SZ - 1 bytes in length will produce this error.
I think the fix is to call fgets() with sizeof(buf) - 2 instead of sizeof(buf) in ssmtp().
With this fix another problem is that in the sent e-mail the line is truncated by two bytes. The fix is to use (BUF_SZ) in smtp_write() instead of (BUF_SZ - 2).
Index: ssmtp.c
=======
--- ssmtp.c (revision 57)
+++ ssmtp.c (working copy)
@@ -1361,7 +1361,7 @@
ssize_t outbytes = 0;
va_start(ap, format);
- if(vsnprintf(buf, (BUF_SZ - 2), format, ap) == -1) {
+ if(vsnprintf(buf, BUF_SZ, format, ap) == -1) {
die(
}
va_end(ap);
@@ -1628,7 +1628,7 @@
/* don't hang forever when reading from stdin */
while(
- if (!fgets(buf, sizeof(buf), stdin)) {
+ if (!fgets(buf, sizeof(buf)-2, stdin)) {
/* if nothing was received, then no transmission
* over smtp should be done */
sleep(1);
I mislabaled test_cast.001. The correct description should be:
Demonstrate that a line which is BUZ_SZ - 1 in length (not counting \n) beginning with a period will die().