Vulnerability Development mailing list archives
Fw: Buffer overflow potential in centerICQ mail handling
From: "KF" <dotslash () snosoft com>
Date: Wed, 10 Jul 2002 15:22:59 -0700
----- Original Message ----- From: "KF" <dotslash () snosoft com> Subject: Buffer overflow potential in centerICQ mail handling
CenterICQ installed from centericq-4.7.2-3.rh7.rpm or centericq-4.7.2.tar.gz has a potential buffer overflow in the mail
handling
Fix: src/hooks/msnhook.cc sprintf(buf, _("+ [msn] e-mail from %s <%s>, %s"), mail->from, mail->fromaddr, mail->subject); snprintf(buf, 1023,_("+ [msn] e-mail from %s <%s>, %s"), mail->from, mail->fromaddr, mail->subject); Info: Msnhook:: mailed is passed "data"... data.frromaddr combined with data.subject can trigger a buffer overflow due to their size being
dynamic.
void msnhook::mailed(void *data) { MSN_MailNotification *mail = (MSN_MailNotification *) data; if(mail->from) { char buf[1024]; sprintf(buf, _("+ [msn] e-mail from %s <%s>, %s"), mail->from, mail->fromaddr, mail->subject); ... } The "data" comes from code in ./libmsn-0.1/msn_commands.cc which parses an email message and extracts info from the messages in particular the "From-Addr" and "Subject" fields which get stuffed into buf which is only 1024 chars in length. ... else if (strstr(mimeInfo, "text/x-msmsgsemailnotification")) { char *tmp = strstr(im, "From: ") + strlen("From: "); MSN_MailNotification data; data.from = tmp; tmp = strstr(data.from, "\r\n"); *tmp = '\0'; DecodeMime(data.from); ... data.subject = strstr(tmp + 1, "Subject: ") + strlen("Subject: "); tmp = strstr(data.subject, "\r\n"); *tmp = '\0'; DecodeMime(data.subject); ... data.fromaddr = strstr(tmp + 1, "From-Addr: ") + strlen("From-Addr: "); tmp = strstr(data.fromaddr, "\r\n"); *tmp = '\0'; -KF
Current thread:
- Fw: Buffer overflow potential in centerICQ mail handling KF (Jul 10)