Remotely triggerable buffer overflow vulnerability was found in filter_tx_io function in filter.c. Vulnerable piece of code: filter_tx_io(struct io *io, int evt) { struct filter_session *s = io->arg; size_t len, n; char *data; char buf[65535]; log_trace(TRACE_FILTERS, "filter: filter_tx_io(%p, %s)", s, io_strevent(evt)); switch (evt) { case IO_DATAIN: data = iobuf_data(&s->ibuf); len = iobuf_len(&s->ibuf); memmove(buf, data, len); buf[len] = 0; log_trace(TRACE_FILTERS, "filter: filter_tx_io: datain (%zu) for req %016"PRIx64": %s", len, s->id, buf); ... It's possible for `len` to be greater than 65535 in which case the memmove() overflows `buf`. This issue affects 5.7.x versions. Reproducer for crash of the service can be found here: http://seclists.org/oss-sec/2015/q4/25
Created attachment 1079937 [details] Proposed patch Source: http://seclists.org/oss-sec/2015/q4/26
Created opensmtpd tracking bugs for this issue: Affects: fedora-all [bug 1268857] Affects: epel-all [bug 1268858]
Fixed with 5.7.3 upstream release, updates will be pushed in testing soon.
Fixed in opensmtpd version 5.7.3 which is on stable.