Re: [bug-mailutils] Buffer overflow (likely off-by-one vuln) in 'mail'.

bug-mailutils

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-mailutils] Buffer overflow (likely off-by-one vuln) in 'mail'.

From:	Sergey Poznyakoff
Subject:	Re: [bug-mailutils] Buffer overflow (likely off-by-one vuln) in 'mail'.
Date:	Wed, 03 Dec 2014 13:35:32 +0200

Hi Joshua,

Thanks for reporting.  I installed the following patch.

Regards,
Sergey

>From 7d96ed9c94cdb116c5c84213a597b8b0a37e80ad Mon Sep 17 00:00:00 2001
From: Sergey Poznyakoff <address@hidden>
Date: Wed, 3 Dec 2014 13:25:34 +0200
Subject: [PATCH] Fix eventual memory overrun

* mail/mail.c (mail_mainloop): Check command length before
trying to access its last byte.
---
 mail/mail.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mail/mail.c b/mail/mail.c
index f072e34..afdadd4 100644
--- a/mail/mail.c
+++ b/mail/mail.c
@@ -558,7 +558,7 @@ mail_mainloop (char *(*input) (void *, int),
   while ((command = (*input) (closure, 0)) != NULL)
     {
       int len = strlen (command);
-      while (command[len-1] == '\\')
+      while (len > 0 && command[len-1] == '\\')
        {
          char *buf;
          char *command2 = (*input) (closure, 1);
--
1.7.12.1

[Prev in Thread]

Current Thread

[Next in Thread]

[bug-mailutils] Buffer overflow (likely off-by-one vuln) in 'mail'., Joshua Rogers, 2014/12/02
- Re: [bug-mailutils] Buffer overflow (likely off-by-one vuln) in 'mail'., Sergey Poznyakoff <=

Prev by Date: [bug-mailutils] Buffer overflow (likely off-by-one vuln) in 'mail'.
Previous by thread: [bug-mailutils] Buffer overflow (likely off-by-one vuln) in 'mail'.
Index(es):
- Date
- Thread