hi,
YOUR PROGRAM crashes, not Postfix. Do not blame the messenger who
I know that. I don't want to undermine anyone's work. Actually, what i
said was..... is there any bad information at all that i'm sending from
my script which makes postfix crash?
strcpy(hola,"MAIL FROM:<");
strcat(hola,remitent);
strcat(hola,">\r\n");
What happens when the string is larger than your hola buffer?
Your program will have a buffer overflow vulnerability.
uhmmmm.... i don't know about that. I agree that i don't check if, for
example, "remitent" is longer than "hola" and therefore there's an
overflow vulnerability, it's only a preliminary version of what i intend
to do with this script... but.... why is it that the script doesn't
crash at that point? I mean.... according to the log file.... even when
the script crashes... it gets to the end of the file, it doesn't stop at
that "strcat" call or any other vulnerable call.
Whenever i've used C to write scripts like that i haven't found any case
like this, when there's some wrong lines which may cause the script to
crash but it gets to the end of it anyway... that's actually the issue
that is driving me crazy.
What i'm going to do next is rewrite the whole thing so that i can avoid
this situations you pointed out, but it stills looks weird to me.
Thanks for your time.
En/na Wietse Venema ha escrit:
Jordi Moles Blanco:
the communication with postfix is done by using the function
"reinjecta_mail" i've also attached.
is there anything wrong that postfix can't understand and therefore
crashes?
YOUR PROGRAM crashes, not Postfix. Do not blame the messenger who
brings the bad news.
FILE *file;
file = fopen("/var/log/quota-postfix.log","a+");
What happen when fopen() does not succeed? Your program crashes
because it follows a null file pointer.
//creem la conexio
hp = gethostbyname(ipnet);
What happens when gethostbyname() does not succeed? Your program
crashes because it follows a null hp pointer.
bcopy ( hp->h_addr, &(server.sin_addr.s_addr),
hp->h_length);
What happens when a malicious DNS server sends a large reply?
Your program will have a buffer overflow vulnerability because
hp->h_length is larger than the server.sin_addr.s_addr buffer.
strcpy(hola,"MAIL FROM:<");
strcat(hola,remitent);
strcat(hola,">\r\n");
What happens when the string is larger than your hola buffer?
Your program will have a buffer overflow vulnerability.
strcpy(hola,"RCPT TO:<");
strcat(hola,victima);
strcat(hola,">\r\n");
What happens when the string is larger than your hola buffer?
Your program will have a buffer overflow vulnerability.
And so on.
Wietse
