| <Patch List> <Patch Directory> | ||||||||||||
Patch info for formatbug_ml
Author CommentsTo: stunnel-users@mirt.net Date: Tue, 18 Dec 2001 15:26:25 +0100 From: Matthias Lange <ml@netuse.de> Subject: stunnel client security patch Hi, I found a format string bug in stunnel. In some occasions, fdprintf is used without a format parameter. Fortunately, the errors are only in the smtp and pop3 client implementations, so "ordinary" servers are not affected. I succeeded to crash stunnel with the following setup: Acting as a mail server: $ netcat -p 252525 -l Acting as a mail client: $ stunnel -c -n smtp -r localhost:252525 When the connection is established, I send a string like "%s%s%s%s%s%s%s%s%s%s%s%s" from the netcat to the stunnel. Then the stunnel performs: fdprintf(c->local_wfd,"%s%s%s%s..."), prints out a lot of garbage, possibly with a segmentation fault. I have attached a patch for stunnel-3.21c. Greetings Matthias Lange -- Matthias Lange, BSc NetUSE AG Dr.-Hell-Stra?e Fon: +49 431 38643500 http://www.netuse.de/ D-24107 Kiel, Germany Fax: +49 431 38643599
This website makes patches available for use by the Internet community. However it does not endorse any of the patches contained herein. They could be work perfectly, or totally foul up everything. We don't know. Contact the authors if you have any questions. Use at your own risk. The Stunnel software package does not contain any cryptography itself, however please remember that import and/or export of cryptographic software, code providing hooks to cryptographic algorithms, and discussion about cryptography is illegal in some countries. It is imperative for you to know your local laws governing cryptography. We're not liable for anything you do that violates your local laws.
|