Attached. -Nigel
> > There is 2 buffer overrun possibilities which can cause assert()'s to be > > triggered, which takes down clamav-milter. > > > > I've sent patches through to Nigel Horne concerning this. > > I must have missed them. Please resend. > > - -Nigel >
diff -c --new-file --recursive clamav-0.60_vanilla/clamav-milter/clamav-milter.c
clamav-0.60_milterfixes/clamav-milter/clamav-milter.c
*** clamav-0.60_vanilla/clamav-milter/clamav-milter.c Tue May 30 01:17:00 2000
--- clamav-0.60_milterfixes/clamav-milter/clamav-milter.c Thu Jul 10 08:22:20
2003
***************
*** 925,933 ****
syslog(LOG_NOTICE, "clean message from %s", privdata->from);
} else {
char **to;
! char err[1024];
FILE *sendmail;
/*
* TODO: check that clamd didn't crash (WIFSIGNALED(status))
*/
--- 925,935 ----
syslog(LOG_NOTICE, "clean message from %s", privdata->from);
} else {
char **to;
! char *err;
FILE *sendmail;
+ int i;
+
/*
* TODO: check that clamd didn't crash (WIFSIGNALED(status))
*/
***************
*** 935,949 ****
syslog(LOG_NOTICE, mess);
snprintf(err, sizeof(err), "Intercepted virus from: %s to:",
privdata->from);
! ptr = strchr(err, '\0');
! /* TODO: check for buffer overrun in err[] */
! for(to = privdata->to; *to; to++) {
! ptr = strrcpy(ptr, " ");
ptr = strrcpy(ptr, *to);
}
- assert(strlen(err) < sizeof(err));
-
if(use_syslog)
syslog(LOG_NOTICE, err);
#ifdef CL_DEBUG
--- 937,963 ----
syslog(LOG_NOTICE, mess);
snprintf(err, sizeof(err), "Intercepted virus from: %s to:",
privdata->from);
!
! /*
! * Setup err as a list of recipients
! */
! i = 1024;
! err = (char *) malloc(i);
! ptr = err;
!
! for (to = privdata->to; *to; to++) {
! /*
! * Re-alloc if we run out of buffer space
! */
! if (ptr + 5 + strlen(*to) >= err + i) {
! i += 1024;
! realloc(err,i);
! }
! ptr = strrcpy(ptr, " ");
ptr = strrcpy(ptr, *to);
+ ptr = strrcpy(ptr, "\n");
}
if(use_syslog)
syslog(LOG_NOTICE, err);
#ifdef CL_DEBUG
***************
*** 978,983 ****
--- 992,998 ----
smfi_setreply(ctx, "550", "5.7.1", "Virus detected by ClamAV -
http://clamav.elektrapro.com";);
rc = SMFIS_REJECT;
+ free(err);
}
clamfi_cleanup(ctx);
***************
*** 1117,1127 ****
va_list argp;
va_start(argp, format);
! vsprintf(output, format, argp);
va_end(argp);
len = strlen(output);
- assert(len <= sizeof(output));
ptr = output;
}
#ifdef CL_DEBUG
--- 1132,1141 ----
va_list argp;
va_start(argp, format);
! vsnprintf(output, BUFSIZ, format, argp);
va_end(argp);
len = strlen(output);
ptr = output;
}
#ifdef CL_DEBUG
pgp00000.pgp
Description: PGP signature
