From ken at jots.org Thu Aug 13 11:12:41 2009 From: ken at jots.org (Ken D'Ambrosio) Date: Thu, 13 Aug 2009 11:12:41 -0400 (EDT) Subject: [imapproxy-info] Buffer overflow. Message-ID: <1dc2a8e7d66ef094edcfd6b0fc53d387.squirrel@webmail.jots.org> Hi, all. It's a long story, but I've got a huge IMAP mailstor (on a DBMail backend) that I'm attempting to index with Aduna Autofocus. With both Ubuntu's 1.2.6 and a self-compiled version of 1.2.7rc2, I get a buffer overflow, and imapproxy dies horribly. Here's what appears to be a pertinent snippet from strace: [pid 11139] read(7, "A0 CAPABILITY\r\n"..., 4096) = 15 [pid 11139] write(7, "* CAPABILITY IMAP4 IMAP4rev1 AUTH=LOGIN ACL NAMESPACE CHILDREN SORT QUOTA THREAD=ORDEREDSUBJECT UNSELECT XIMAPPROXY\r\nA0 OK Completed\r\n"..., 134) = 134 [pid 11139] poll([{fd=7, events=POLLIN}], 1, 1800000) = 1 ([{fd=7, revents=POLLIN}]) [pid 11139] read(7, "A1 AUTHENTICATE LOGIN\r\n"..., 4096) = 23 [pid 11139] write(7, "+ VXNlcm5hbWU6\r\n"..., 16) = 16 [pid 11139] read(7, "YWRtaW4=\r\n"..., 4096) = 10 [pid 11139] open("/dev/tty", O_RDWR|O_NOCTTY|O_NONBLOCK) = -1 ENXIO (No such device or address) [pid 11139] writev(2, [{"*** "..., 4}, {"buffer overflow detected"..., 24}, {" ***: "..., 6}, {"in.imapproxyd"..., 13}, {" terminated\n"..., 12}], 5) = 59 I'm running on Ubuntu Karmic; is there anything I can do to help troubleshoot the issue? Thanks much! -Ken -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. From japc at co.sapo.pt Thu Aug 13 17:49:05 2009 From: japc at co.sapo.pt (Jose Celestino) Date: Thu, 13 Aug 2009 22:49:05 +0100 Subject: [imapproxy-info] Buffer overflow. In-Reply-To: <1dc2a8e7d66ef094edcfd6b0fc53d387.squirrel@webmail.jots.org> References: <1dc2a8e7d66ef094edcfd6b0fc53d387.squirrel@webmail.jots.org> Message-ID: <1250200145.10997.18.camel@morgoth> On Qui, 2009-08-13 at 11:12 -0400, Ken D'Ambrosio wrote: > Hi, all. It's a long story, but I've got a huge IMAP mailstor (on a > DBMail backend) that I'm attempting to index with Aduna Autofocus. With > both Ubuntu's 1.2.6 and a self-compiled version of 1.2.7rc2, I get a > buffer overflow, and imapproxy dies horribly. Here's what appears to be a > pertinent snippet from strace: > ... > I'm running on Ubuntu Karmic; is there anything I can do to help > troubleshoot the issue? > I sent Dave McMurtrie a patch regarding that issue on January: diff -bur up-imapproxy-1.2.7rc2-OLD/src/request.c up-imapproxy-1.2.7rc2/src/request.c --- up-imapproxy-1.2.7rc2-OLD/src/request.c 2009-01-28 01:28:38.000000000 +0000 +++ up-imapproxy-1.2.7rc2/src/request.c 2009-01-28 01:48:55.000000000 +0000 @@ -778,7 +778,7 @@ /* * Same drill all over again, except this time it's for the password. */ - snprintf( Password, BufLen, "Password:" ); + sprintf( Password, "Password:" ); EVP_EncodeBlock( EncodedPassword, Password, strlen( Password ) ); The thing is on cmd_authenticate_login() char Password[MAXPASSWDLEN] may overflow on snprintf( Password, BufLen, "Password:" ) because BufLen = BUFSIZE - 1 = 4095 < MAXPASSWDLEN = 64. Libssp from later gcc notices it and acts proactively signaling the application with and ABRT. -- Jose Celestino SAPO.pt::Systems http://www.sapo.pt --------------------------------------------------------------------- * Progress (n.): The process through which Usenet has evolved from smart people in front of dumb terminals to dumb people in front of smart terminals. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.andrew.cmu.edu/pipermail/imapproxy-info/attachments/20090813/35079654/attachment.bin From japc at co.sapo.pt Thu Aug 13 17:55:17 2009 From: japc at co.sapo.pt (Jose Celestino) Date: Thu, 13 Aug 2009 22:55:17 +0100 Subject: [imapproxy-info] Buffer overflow. In-Reply-To: <1250200145.10997.18.camel@morgoth> References: <1dc2a8e7d66ef094edcfd6b0fc53d387.squirrel@webmail.jots.org> <1250200145.10997.18.camel@morgoth> Message-ID: <1250200517.10997.21.camel@morgoth> On Qui, 2009-08-13 at 22:49 +0100, Jose Celestino wrote: > The thing is on cmd_authenticate_login() char Password[MAXPASSWDLEN] may overflow on > snprintf( Password, BufLen, "Password:" ) because BufLen = BUFSIZE - 1 = 4095 > < MAXPASSWDLEN = 64. Of course I meant > -- Jose Celestino SAPO.pt::Systems http://www.sapo.pt --------------------------------------------------------------------- * Progress (n.): The process through which Usenet has evolved from smart people in front of dumb terminals to dumb people in front of smart terminals. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part Url : http://lists.andrew.cmu.edu/pipermail/imapproxy-info/attachments/20090813/9b477fdf/attachment.bin