7504860 2001-11-14 23:08 -0500 /63 rader/ Wietse Venema <wietse@porcupine.org> Sänt av: joel@lysator.liu.se Importerad: 2001-11-15 17:50 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <19769> Ärende: Postfix session log memory exhaustion bugfix ------------------------------------------------------------ From: wietse@porcupine.org (Wietse Venema) To: bugtraq@securityfocus.com Message-ID: <20011115040804.6A743C1DEE@tail.porcupine.org> The Postfix SMTP server maintains a record of SMTP conversations for debugging purposes. Depending on local configuration details this record is mailed to the postmaster whenever an SMTP session terminates with errors. During code maintenance, a stupid error was introduced into the code due to which the SMTP session log could grow to an unreasonable size. This stupid error made Postfix vulnerable to a memory exhaustion attack. This error is all my own fault and I take full responsibility for it. A similarly stupid memory exhaustion vulnerability was found in the qmail SMTP server more than four years ago. It was never fixed. The patch below applies to any Postfix release that was issued in the year 2001. Fully patched releases will be made available via the usual web sites listed in www.postfix.org. Primary site: ftp://ftp.porcupine.org/mirrors/postfix-release/index.html Releases: snapshot-20011114 postfix-20010228-pl07 Thank you for your attention. Wietse *** ./smtpd.c- Sun Oct 28 19:31:14 2001 --- ./smtpd.c Wed Nov 14 22:21:46 2001 *************** *** 1060,1065 **** --- 1060,1077 ---- state->where = SMTPD_AFTER_DOT; /* + * Notify the postmaster if there were errors. This usually indicates a + * client configuration problem, or that someone is trying nasty things. + * Either is significant enough to bother the postmaster. XXX Can't + * report problems when running in stand-alone mode: postmaster notices + * require availability of the cleanup service. + */ + if (state->history != 0 && state->client != VSTREAM_IN + && (state->error_mask & state->notify_mask)) + smtpd_chat_notify(state); + smtpd_chat_reset(state); + + /* * Cleanup. The client may send another MAIL command. */ mail_reset(state); (7504860) /Wietse Venema <wietse@porcupine.org>/----